- 1:
- 1.1:
- 1.1.1:
- 1.1.2:
- 1.1.3:
- 1.1.3.1:
- 1.1.3.2:
- 1.1.3.3:
- 1.1.3.4:
- 1.1.4:
- 1.1.5:
- 1.1.6:
- 1.1.7:
- 1.1.8:
- 1.1.9:
- 1.1.10:
- 1.1.11:
- 1.1.12:
- 1.2:
- 1.2.1:
- 1.2.2:
- 1.2.2.1:
- 1.2.2.2:
- 1.2.2.3:
- 1.2.3:
- 1.2.4:
- 1.2.4.1:
- 1.2.4.2:
- 1.2.4.3:
- 1.2.4.4:
- 1.2.4.5:
- 1.2.4.6:
- 1.2.4.7:
- 1.2.5:
- 1.2.6:
- 1.2.7:
- 1.2.8:
- 1.2.8.1:
- 1.2.8.2:
- 1.2.8.3:
- 1.2.9:
- 1.2.10:
- 1.2.11:
- 1.3:
- 1.4:
- 2:
- 3:
- 4:
- 5:
- 6:
- 7:
Installation
This guide describes deployment options for various Sysdig components:
Sysdig Agents (also
called Host Agents)
Serverless Agents used
for container-based cloud environments such as Fargate
Sysdig Secure for
cloud connection
components: CIS AWS Benchmarks, threat detection based on
CloudTrail, Fargate image scanning and ECR registry scanning.
Rapid Response
component, allowing
designated Advanced Users to remote connect into a host (available
for Sysdig Secure on-prem only)
Node Analyzer: Multi-Feature
Installation for
benchmarks, host scanning, and the image analyzer.
Admission Controller:
Installation for
enhanced scanning, where container images that do not fulfill the
configured admission policies will be rejected from the cluster
before being assigned to a node and allowed to run.
1 -
Sysdig Agent
Sysdig agents are simple to deploy and upgrade, and out of the box, they
will gather and report on a wide variety of pre-defined metrics. Agent
installation can be as simple as copying and pasting a few lines of code
from a Wizard prompt, or you can follow step-by-step instructions to
check supported environments and distributions, review installation
options, and customize the agent configuration file post-install.
About Sysdig Agent
Sysdig agent is a lightweight host component that processes syscall,
creates capture files, and
performs auditing and compliance. It is a platform that supports
monitoring, securing, and troubleshooting cloud-native environments
In addition, the agent performs the following:
Metrics processing, analysis, aggregation, and transmission
Policy monitoring and alert notification through bidirectional
communication with the Sysdig collector
Integration with third-party software for consolidating customer
ecosystem data
Full assimilation into containerized and orchestrated environment
Data Processing
A top-level flow for monitoring is illustrated in the following diagram.
The following agent components gather relevant data:
Syscall
StatsD
JMX
Promscrape
Store the metrics for analysis.
Sends the metrics in every second for analysis and aggregation.
Build the 10-second roll-up data.
Send the data every tenth second for serialization
Send the serialized metrics to the Sysdig collector
Learn More
1.1 -
Agent Installation
Sysdig agents are delivered as either a container or a service and can
be deployed with or without an orchestrator such as Kubernetes or Mesos.
A quick install involves just a few lines of code from the Getting
Started Wizard copied into a shell. The complete install instructions
address checking for and installing kernel headers if needed, any
prerequisite permissions settings for particular environments, and tips
about updating the configuration files after initial installation.
Plan the Installation
Host Requirements | Review the platforms, runtimes, Linux distributions, orchestration, browsers, etc. that are supported. |
Kernel Header Troubleshooting | Additional tips if your kernel module or header are not automatically compiled by the agent |
Access key | An agent access key is provided with a Sysidg trial |
Installation flavours | Choose one of the installations: Slim Agent : A lighter version of the Sysdig agent created by splitting the regular agent image into two components responsible for different functionalities. You install and run these modules as containers. Regular Agent: The Sysdig agent that you can run as a container or a service.
|
Install Options
Wizard-Based
With the Getting Started Wizard, you can copy/paste a simple line of
code to deploy agents in a variety of environments.
Behind the scenes, the Wizard auto-detects and completes configuration
items such as the required access key and port information. The Wizard
is launched from the Start a Free Trial button at
sysdig.com.
After the first install, Sysdig Secure and Monitor users can access the
Wizard at any time from the Rocket icon in the navbar.
Manual Options
There are a variety of ways to install agents without using the Wizard.
Certain environments may need a different option:
1.1.1 -
Host Requirements for Agent Installation
Sysdig agents can be installed on a wide array of Linux hosts. Check
your environment to ensure it meets the minimum supported platform,
operating system, runtime, and orchestration requirements and uses the
appropriate installation instructions.
Versioning Scheme
The versioning scheme for agent releases has been updated with version
9.5.0.
Previous versions used the format, <version number><hotfix> such as,
0.94.0.
Sysdig is aligning version numbers to the rest of the product. The new
version number reflects the maturity of the agent software over the last
several years. Starting v9.5.0, all agent versions are numbered
as Major.minor.hotfix.
We encourage users to be on the latest version of the agent. Starting
with
v9.6.0,
we support n-3 versions backbased on the minor number. For example,
if the release is v9.6.0, we will support n-3 versions back, for
example, to 9.3.0. The old version scheme is 0.93.0.
Agent Installation Requirements
AWS AWS Elastic Kubernetes Service (EKS), Elastic Cloud Compute
(EC2), AWS Elastic Container Service (ECS) on AWS Cloud or AWS
Outpost
Google Cloud Provider (GCP) and Google Kubernetes Engine (GKE).
Microsoft Azure and Microsoft Azure Container Service (AKS)
IBM: Including IBM Cloud Kubernetes Service (IKS)
Private Data Center
See the Supported Linux Distributions table, below.
Container Runtimes
The agent supports the detection of Docker, RKT, LXC, containerd, CRI-O,
and Mesos containers.
Prerequisites for CRI-O Environments
Agent artifacts are stored on the Docker registry. In CRI-O and
Kubernetes environments, Docker is not a specified registry by default.
In order to prevent image pull failure for Sysdig agent installations in
CRI-O environments, add docker.ioto the CRI-O configuration file:
Edit /etc/crio/crio.conf.
Add registries = ["docker.io"] to the crio.conf file.
For example:
# registries is used to specify a comma separated list of registries to be used
# when pulling an unqualified image (e.g. fedora:rawhide).
registries = [
“registry.example.xyz”,
“docker.io”
]
Restart CRI-O.
Prerequisites for Podman Environments
Sysdig agent supports running as a
Podman container.
Enable Podman API service for all the users.
The agent will not able to collect Podman-managed container
metadata, such as the container name, if the API service is not
enabled.
Secure rules and policies that depend on container metadata other
than the container ID will not work.
Pausing and terminating containers will not work because Policy
actions for Podman are not supported.
The containers started as a non-root user will have the
podman_owner_uid label associated with it if the API service is
enabled for that user. The value of podman_owner_uid will be the
numeric user ID corresponding to the user that started the
container.
Supported Container Registries
Quay.io
For example, to pull the latest agent container from Quay.io:
docker pull quay.io/sysdig/agent
Docker Hub
For example, to pull the latest agent container from Docker Hub:
docker pull sysdig/agent
Supported Linux Distributions
Core set of distributions: | | Core set | Ubuntu/COS | Core set |
Orchestrator: Yes/No
If NO orchestrator is used, follow the installation instructions for
Agent Install:
Non-Orchestrated .
If you ARE using an orchestrator what kind are you using?
Supported Open-Source Orchestrators
Supported Java Versions and Vendors
The Sysdig agent supports only:
Java versions: 7 and above
Vendors: Oracle, OpenJDK
For Java-based applications (Cassandra, Elasticsearch, Kafka, Tomcat,
Zookeeper and etc.), the Sysdig agent requires the Java runtime
environment (JRE) to be installed to poll for metrics (beans).
If the Docker-container-based Sysdig agent is installed, the JRE is
installed alongside the agent binaries and no further dependencies
exist. However, if you are installing the service-based agent
(non-container) and you do not see the JVM/JMX metrics reporting, your
host may not have the JRE installed or it may not be installed in the
expected location: usr/bin/java
Resource Limits
The resource requirements of the agent are subjective to the size and
load of the host— more activity equates to more resources required. At a
minimum, the agent requires 2% of the total CPU and 512MiB of memory.
It is typical to see between 5-20KiB/s of bandwidth consumed—different
variables can increase the throughput required such as the number of
metrics, events, Kubernetes objects, and which products and features are
enabled. When a Sysdig Capture is being collected, you can expect to see
a spike in bandwidth while the capture file is being ingested.
We do not recommend placing bandwidth shaping or caps on the agent to
ensure data can be sent to our collection service.
Supported Web Browsers
Sysdig supports, tests, and verifies the latest versions of Chrome and
Firefox.
Other browsers may also work, but are not tested in the same way.
Additional Requirements
Access key
The installation of the Sysdig agent requires an access key. This
key and the agent installation instructions are presented to you after
activating your account and using a web-based wizard upon initial login.
The same information can also be found in the
Settings > Agent Installation menu of the web interface after logging
in. See Agent Installation: Overview and
Key for details.
Network connection
A Sysdig agent (containerized or native) is installed into each host
being monitored and will need to be able to connect to the Sysdig
Monitor backend servers to report host metrics. The agent must be able
to reach the Sysdig Collector addresses. For example, for US East, it is
‘collector.sysdigcloud.com’ (via
multiple IPs) over port tcp/6443 . See Sysdig Collector
Ports for supported ports
for other regions.
The agent supports the HTTP proxy for communicating with Sysdig backend
components. For more information, see Enable HTTP Proxy for
Agents.
Tagging your hosts is highly recommended. Tags allow you to sort nodes
of your infrastructure into custom groups in Sysdig Monitor.
Replace the [TAGS] parameter in the configuration file with a
comma-separated list in the form of TAG_NAME:TAG_VALUE. For
example, role:webserver,location:europe.
See Understanding the Agent Config
Files.
TracePoints Support
All supported distribution released kernels have this support but if
creating a custom kernel, it must support the following options:
CONFIG_TRACEPOINTS
CONFIG_HAVE_SYSCALL_TRACEPOINTS
See Also
Kernel Header
Troubleshooting
1.1.1.1 -
Tuning Sysdig Agent
The resource requirements for the Sysdig agent are subjective to the
size and load of the host. Increased activity equates to higher resource
requirements. At a minimum, the agent requires 2% of the total CPU and
512 MiB of memory.
You might see 5 to 20 KiB/s of bandwidth consumed. Different variables
can increase the throughput required. For example:
When a Sysdig Capture is being collected, you can expect to see a spike
in the bandwidth while the capture file is being ingested.
Sysdig does not recommend placing bandwidth shaping or caps on the agent
to ensure that data is sent to the Sysdig Collection service.
In general, in larger clusters, the agent requires more memory, and in
servers with a high number of cores, the agent requires more CPU cores
to monitor all the system calls. You will use CPU cores on the host and
the Kubernetes nodes visible to the agent as proxies for the rate of
events processed in the agent.
Similarly, there are different factors that are at play, and considering
all the factors, we recommend the following:
Small: CPU core count <= 8. Kubernetes nodes <=10
Medium: 8 < CPU core count <= 32. 10 < Kubernetes nodes
<= 100
Large: CPU core count > 32. Kubernetes nodes > 100
While you can expect the behavior with the given numbers to be better
than simply using the default values, Sysdig cannot guarantee that
resource allocation will be correct for all the cases.
| Cluster Size | Small | Medium | Large |
|---|
| Kubernetes CPU Request | 1 | 3 | 5 |
| Kubernetes CPU Limit | 1 | 3 | 5 |
| Kubernetes Memory Request | 1024 MB | 3072 MB | 6144 MB |
| Kubernetes Memory Limit | 1024 MB | 3072 MB | 6144 MB |
| Dragent Memory Watchdog | 512 MB | 1024 MB | 2048 MB |
| Cointerface Memory Watchdog | 512 MB | 2048 MB | 4096 MB |
Note that the agent has its own memory watchdog to prevent runaway
memory consumption on the host in case of memory leaks. The default
values of the watchdog are specified in the following agent
configuration file.
watchdog:
max_memory_usage_mb: 1024
max_memory_usage_subprocesses:
sdchecks: 128
sdjagent: 256
mountedfs_reader: 32
statsite_forwarder: 32
cointerface: 256
All the values are given in MiB.
For example, to match the agent watchdog settings with large values, the
agent configuration would be:
watchdog:
max_memory_usage_mb: 2048
max_memory_usage_subprocesses:
sdchecks: 128
sdjagent: 256
mountedfs_reader: 32
statsite_forwarder: 32
cointerface: 4096
1.1.1.2 -
In addition to the information on Host Requirements for Agent
Installation, this page
describes how the agent uses kernel headers and tips on troubleshooting,
if needed.
About Kernel Headers and the Kernel Module
The Sysdig agent requires a kernel module in order to install
successfully on a host. This can be obtained in three ways:
Agent compiles the module using kernel headers.
If the hosts in your environment already have kernel header files
pre-installed, no special action is needed. Or you can install the
kernel headers manually; see below.
Agent auto-downloads precompiled modules from Sysdig’s AWS storage
location.
If the headers are not already installed but the agent is able to
auto-download, no special action is needed. If there is no internet
connectivity, you can use method 3 (download from an internal URL).
Agent downloads precompiled modules from an internal URL.
Use the environment variable SYSDIG_PROBE_URL. See also
Understanding the Agent Config
Files. Contact Sysdig
support for assistance.
In some cases, the host(s) in your environment may use Unix versions
that do not match the provided headers, and the agent may fail to
install correctly. In those cases, you must install the kernal headers
manually.
Debian-Style
For Debian-syle distributions, run the command:
apt-get -y install linux-headers-$(uname -r)
RHEL-Style
For RHEL-style distributions, run the command:
yum -y install kernel-devel-$(uname -r)
RancherOS
For RancherOS distributions, the kernel headers are available in the
form of a system service and therefore are enabled using the
ros service command:
sudo ros service enable kernel-headers-system-docker
sudo ros service up -d kernel-headers-system-docker
NOTE: Some cloud hosting service providers supply pre-configured Linux
instances with customized kernels. You may need to contact your
provider’s support desk for instructions on obtaining appropriate header
files, or for installing the distribution’s default kernel.
During an agent installation in an Amazon machine image (AMI) you may
encounter the following errors while the installer is trying to compile
the Sysdig kernel module:
Errors
This indicates your machine is running a kernel in an older AMI for
which the kernel headers are no longer available in the configured
repositories. The issue has to do with Amazon purging packages in the
yum repository when new Amazon Linux machine images are released.
The solution is either to update your kernel to a version for which
header files are readily available (recommended), or perform a one-time
installation of the kernel headers for your older AMI.
Option 1: Upgrade Your Host’s Kernel
First install a new kernel and reboot your instance:
sudo yum -y install kernel
sudo reboot
After rebooting, check to see if the host is reporting metrics to your
Sysdig account. If not, you may need to issue three more commands to
install the required header files:
sudo yum -y install kernel-devel-$(uname -r)
sudo /usr/lib/dkms/dkms_autoinstaller start
sudo service dragent restart
Although it is recommended to upgrade to the latest kernel for security
and performance reasons, you can alternatively install the older headers
for your AMI.
Find the the AMI version string and install the appropriate headers with
the commands:
releasever=$(cat /etc/os-release | grep 'VERSION_ID' | grep -Eo "[0-9]{4}\.[0-9]{2}")
sudo yum -y --releasever=${releasever} install kernel-devel-$(uname -r)
Issue the remaining commands to allow the Sydig Agent to start
successfully:
sudo /usr/lib/dkms/dkms_autoinstaller start
sudo service dragent restart
Reference: Find Your AWS Instance Image Version
The file /etc/image-id shows information about the original machine
image with which your instance was set up:
[ec2-user ~]$ cat /etc/image-id
image_name="amzn-ami-hvm"
image_version="2017.03"
image_arch="x86_64"
image_file="amzn-ami-hvm-2017.03.0.20170401-x86_64.ext4.gpt"
image_stamp="26a3-ed31"
image_date="20170402053945"
recipe_name="amzn ami"
recipe_id="47cfa924-413c-d460-f4f2-2af7-feb6-9e37-7c9f1d2b"
This file will not change as you install updates from the yum
repository.
The file /etc/system-release will tell what version of the AWS image
is currently installed:
[ec2-user ~]$ cat /etc/system-release
Amazon Linux AMI release 2017.03
1.1.2 -
Quick Install Sysdig Agent on Kubernetes
Sysdig provides a single-line Sysdig Agent
installer
to help you get started quickly in Kubernetes environments. The code for
using the installer is also presented in the Get
Started pages of the Sysdig
Monitor and Sysdig Secure UIs, with some of the values auto-completed.
This page documents the single-line installer options in more detail.
You can also access the help by using the following command:
$ ./install-agent-kubernetes --help
Access from Get Started Pages
To access the quick-install code pre-filled with some of your
environment variables:
Log in as admin to Sysdig Monitor or Sysdig Secure.
Select the Get Started
page (rocket icon).
Choose Install the Agent, select the appropriate deployment type
(e.g. Helm or Kubernetes), and copy the auto-generated code, filling
in remaining variable
values
as required.
Sample Usage
$ install-agent-kubernetes [-a | --access_key <value>] [-t | --tags <value>] [-c | --collector <value>] [-cp | --collector_port <value>] [-s | --secure <value>] [-cc | --check_certificate <value>] [-ns | --namespace | --project <value>] [-ac | --additional_conf <value>] [-op | --openshift] [-as | --agent_slim] [-av | --agent_version <value>] [-ae | --api_endpoint <value> ] [-na | --nodeanalyzer ] [-ia | --imageanalyzer ] [-am | --analysismanager <value>] [-ds | --dockersocket <value>] [-cs | --crisocket <value>] [-cv | --customvolume <value>] [-cn | --cluster_name <value>] [-r | --remove ] [-h | --help]
Options
-a
| The agent access key. You can retrieve this from Settings > Agent Installation in either Sysdig Monitor or Sysdig Secure. |
-t
| The list of tags for the host where the agent is installed. For example: "role:webserver, location:europe", "role:webserver" or "webserver". |
-c or collector_url
| The collector URL for Sysdig Monitor or Sysdig Secure. This value is region-dependent in SaaS and is auto-completed on the Get Started page in the UI. It is a custom value in on-prem installations. |
-cp
| The collector port. The default is 6443. |
-s
| Use a secure SSL/TLS connection to send metrics to the collector. This option is enabled by default. |
-cc
| Enable strong SSL certificate check. The default is true. |
-ns
| If a value is provided, the agent will be deployed to the specified namespace/project. The default is sysdig-agent. |
-op
| If provided, perform the agent installation using the OpenShift command line. |
-ac
| If a value is provided, the additional configuration will be appended to the agent configuration file. |
-av
| If a version is provided, use the specified agent version. The default is the latest version. |
-r
| If a value is provided, the daemonset, configmap, cluster role binding, service acccount and secret associated with the Sysdig Agent will be removed from the specified namespace. |
-ae
| The api_endpoint is the region-dependent domain for the Sysdig product, without the protocol. E.g. secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com |
-h
| Print this usage and exit. |
Sysdig Secure Only | |
-na
| If provided, will install the Node Analyzer tools. It is an error to set both -ia and -na. |
-ds
| The docker socket for Image Analyzer. |
-cs
| The CRI socket for Image Analyzer. |
-cv
| The custom volume for Image Analyzer. |
-h
| Print this usage and exit. |
Sysdig Secure Only (Legacy) These values apply to the Node Image Analyzer (v1) in Sysdig Secure. | |
-am
| The Analysis Manager endpoint for Sysdig Secure. |
-ia
| If provided, will install the Node Image Analyzer (v1). It is an error to set both -ia and -na. The v1 Node Image Analyzer will be deprecated and replaced by the NA tools. |
1.1.3 -
Agent Install: Kubernetes
This document describes how to install a regular Sysdig agent container
in a Kubernetes environment. This document
assumes you will run the agent container as a Kubernetes pod, which then
enables the Sysdig agent automatically to detect and monitor your
Kubernetes environment.
If you want to install a slim agent, see Install Slim
Agent.
It is relevant for any platform where Kubernetes is deployed, including
Amazon environments (EKS,
EC2, ECS),
Azure Container Service (AKS), Google Kubernetes Engine
(GKE), Red Hat
OpenShift, and IBM Cloud Kubernetes
Service (IKS).
You use
DaemonSets
to deploy agents on every node in your Kubernetes environment. Once
deployed, Sysdig Monitor automatically begins monitoring all of your
hosts, apps, pods, and services and automatically connects to the
Kubernetes API server to pull relevant metadata about the environment.
If licensed, Sysdig Secure launches with default policies that you can
view and configure to suit your needs. You can access the front-end web
interfaces for Sysdig Monitor and Sysdig Secure immediately.
Prerequisites
A supported distribution. See Host Requirements for Agent
Installation for
details.
Kubernetes v 1.9+: The agent installation on Kubernetes requires
using v1.9 or higher because the APIs used to fetch kubernetes
metadata are only present in v1.9+.
Sysdig account and access key: Request a trial or full account
at Sysdig.com and click the Activate Account button. You create
a Sysdig user name and password.
The Getting Started Wizard provides an access key.
Runtime Support: CRI-O and Containerd
By default, Sysdig agents deployed in Kubernetes automatically detect
metadata from containerd and CRI-O (in
addition to Docker), as long as the prerequisites are fulfilled.
After reviewing the information on this page, continue with the Sysdig
agent installation steps: Kubernetes Agent Installation
Steps.
Containerd Support
As of agent version 0.88.1, the Sysdig agent will automatically detect
containerd metadata (as well as any Docker
metadata) in your environment, as long as the prerequisites are
fulfilled.
Prerequisites
Agent version: Sysdig agent version 0.88.1 or higher
NOTE: If you are upgrading from an earlier version of the agent,
you must also download the latest
sysdig-agent-daemonset-v2.yamlfrom GitHub.
Configuration parameter: In the agent config file,
new_k8s: true must be set.
As of agent 9.6.0, new_k8s is enabled by default.
See Enable Kube State Metrics and Cluster Name below for details
on editing the config file.
Kubernetes-only: The containerd API must support
CRI
(a Kubernetes runtime interface).
Results in the Sysdig Monitor UI
If the Sysdig agent detects containerd metadata, it will be reported in
the front end as follows:
Explore/Dashboard views: The icon next to container-specific
items (container.name,
container.id, etc.) shows whether it’s a
Docker or containerd object.
Spotlight: Updated for containerd display.
Events: Containerd events die and oom are enabled by
default.
Events create and exit are also supported.
CRI-O Support
The Sysdig agent will automatically detect CRI-O
metadata (as well as any Docker and/or containerd metadata) in your
environment, as long as the Prerequisites are fulfilled.
Prerequisites
Platform version: Sysdig SaaS March 2019or higher
Agent version: Sysdig agent v 0.89.4 March 27, 2019 or higher.
NOTE: If you are upgrading from an earlier version of the agent,
you must also download the latest
sysdig-agent-daemonset-v2.yamlfrom GitHub.
Configuration parameter: In the agent config file,
new_k8s: true must be set.
See Enable Kube State Metrics and Cluster Name below for details
on editing the config file.
Kubernetes-only: The API must support
CRI
(a Kubernetes runtime interface).
Results in the Sysdig Monitor UI
Events: There are no CRI-O events, so the Events pane remains
unchanged.
Explore/Dashboard views: The icon next to container-specific
items (container.name,
container.id, etc.) shows CRI-O type.
Supported Metrics: By default, the same metrics are supported
for CRI-O as for Docker and containerd, except for image id
(container.image.id).
As of agent version 0.92.1, this setting is enabled by default.
To enable image id metrics, edit the agent configuration file
dragent.yaml to contain the following:
cri:
extra_queries: true
See Understanding the Agent Config
Files for more information
on editing dragent.yaml.
Complete the Installation
Choose the appropriate link to complete the installation steps:
1.1.3.1 -
Steps for Kubernetes (Vanilla)
Preparation
The Sysdig agent requires kernel header files to install successfully on
a host.
This setup step is required for some environments and not others, as
noted.
If the hosts in your environment match the pre-compiled kernel modules
available from Sysdig, no special action is required.
In some cases, the host(s) in your environment may use Unix versions
that do not match the provided headers, and the agent may fail to
install correctly. In those cases, you must install the kernel headers
manually.
To do so:
For Debian-style distributions, run the command:
apt-get -y install linux-headers-$(uname -r)
For RHEL-style distributions, run the command:
yum -y install kernel-devel-$(uname -r)
Background info: see also About Kernel Headers and the Kernel
Module.
Background Info
You can review Agent Install: Kubernetes | GKE | OpenShift |
IBM and the Host
Requirements for Agent
Installation for additional
context, if desired.
Installation Steps
To deploy agents using Kubernetes daemonsets, you will
download
the following configuration files, edit them as required, and deploy
them.
sysdig-agent-clusterrole.yaml
sysdig-agent-service.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
HELM CHART OPTIONKubernetes also offers a package manager,
Helm, which uses charts to simplify this process.
If you are using Helm charts in your K8s environment, we recommend using
them to deploy Sysdig agents, as described
here.
Deploy the Agents
Download
the sample files:
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever naming you prefer. In this document, we used
sysdig-agent for both the namespace and the service account.
The default service account name was automatically defined in
sysdig-agent-daemonset-v2.yaml, at the line:
serviceAccount: sysdig-agent.
kubectl create ns sysdig-agent
Create a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
Create a cluster role and service account, and define the cluster
role bindingthat grants the Sysdig agent rules in the cluster role,
using the commands:
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
kubectl create serviceaccount sysdig-agent -n sysdig-agent
kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit sysdig-agent-configmap.yaml to add the collector address ,
port , and the SSL/TLS information:
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
(All installs) Apply the sysdig-agent-configmap.yaml file:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
(All installs) Apply the sysdig-agent-service.yaml file:
kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the
Kubernetes API server. See Kubernetes Audit
Logging for information
on enabling Kubernetes audit logging.
(All installs) Apply the daemonset-v2.yaml file :
kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed. See Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described below.Getting
Started with Sysdig Monitor
Enable Kube State Metrics and Cluster Name
These steps are optional but recommended.
Edit sysdig-agent-configmap.yaml to uncomment the line:
new_k8s: true
This allows kube state metrics to be automatically detected,
monitored, and displayed in Sysdig Monitor.
For more information, see the Kube State
Metrics
entry in the Sysdig blog.
As of agent 9.6.0, new_k8s is enabled by default.
Edit sysdig-agent-configmap.yaml to uncomment the line:
**k8s_cluster_name: **and add your cluster name.
Setting cluster name here allows you to view, scope, and segment
metrics in the Sysdig Monitor UI by the Kubernetes cluster.
Note: Alternatively, if you assign a tag with “cluster” in the
tag name, Sysdig Monitor will display that as the Kubernetes cluster
name.
Apply the configmap changes using the command:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Proceed to verify the metrics in the Sysdig Monitor UI.
There are two ways to update the agent
configuration
Option 1: Edit the files locally and apply the changes with
kubectl apply -f:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Option 2: Use kubectl edit to edit files on the fly:
kubectl edit configmap sysdig-agent -n sysdig-agent
Running agents will automatically pick the new configuration after
Kubernetes pushes the changes across all the nodes in the cluster.
Additional Options
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com.
The sysdig-agent-configmap.yaml file can be edited either locally or
using the edit command in Kubernetes. refer to the section above for
more information.
To configure the collector IP in a Kubernetes SaaS instance:
Open sysdig-agent-configmap.yaml in a text editor.
Uncomment the following lines:
Set the collector: value to
collector-static.sysdigcloud.com
See SaaS Regions and IP
Ranges and identify the
correct URL associated with your Sysdig collector and region.
Set the collector_port: value to 6443
Save the file.
The example file below shows how the sysdig-agent-configmap.yaml file
should look after configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-agent
data:
dragent.yaml: |
### Agent tags
# tags: linux:ubuntu,dept:dev,local:nyc
#### Sysdig Software related config ####
# Sysdig collector address
collector: collector-static.sysdigcloud.com
# Collector TCP port
collector_port: 6443
# Whether collector accepts ssl/TLS
ssl: true
# collector certificate validation
ssl_verify_certificate: true
# Sysdig Secure
security:
enabled: true
#######################################
# new_k8s: true
# k8s_cluster_name: production
Verify Metrics in Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the
metrics are detected and collected appropriately.
The steps below give one way to do the check.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for US East, the URL is
https://app.sysdigcloud.com.
For other regions, the format is
https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the Explore tab to see if metrics are displayed.
(Once you have enabled new_k8s:true): To verify that kube state
metrics and cluster name are working correctly: Select the Explore
tab and create a grouping by kubernetes.cluster.name and
kubernetes.pod.name.
As of agent 9.6.0, new_k8s is enabled by default.
Select an individual container or pod to see details.
Kubernetes metadata (pods, deployments etc.) appear a minute or two
later than the nodes/containers themselves; if pod names do not appear
immediately, wait and retry the Explore view.
If agents are disconnecting, there could be an issue with your MAC
addresses. See Troubleshooting Agent
Installation for tips.
1.1.3.2 -
Steps for GKE
Google Kubernetes Engine
(GKE) is a managed
environment for running Kubernetes in Google Cloud, in order to deploy
containerized applications. As of Sysdig agent version 0.88, Sysdig
supports all flavors of GKE, including Ubuntu and GKE’s default
Container-Optimized OS
(COS).
Note that the standard Sysdig agent cannot be installed on GKE COS
because Sysdig relies on a kernel module that COS does not allow. To
accommodate this limitation Sysdig has developed an alternate probe
built on
eBPF, a
“universal in-kernel virtual machine.”
eBPF probe is supported only in GKE COS environments.
The instructions below describe a standard GKE agent install and call
out the special steps needed to install the eBPF probe if you are using
COS.
Preparation
Open Port 6443 for Agent Egress
Because GKE uses stateful firewalls, you must actively open port 6443
for the Sysdig agent outbound traffic.
In earlier versions, the Sysdig Agent connected to port 6666. This
behavior has been deprecated, as the Sysdig agent now connects to port
6443.
GKE COS/eBPF-Specific Requirements
Linux kernel version >= 4.14.
When performing the installation steps, you will add one additional
parameter to install the eBPF probe. See Step 7, below. Note that
the eBPF probe is supported only in GKE COS environments.
Background Info
You can review Agent Install: Kubernetes | GKE | OpenShift |
IBM and the Host
Requirements for Agent
Installation for additional
context, if desired.
Installation Steps
To deploy agents using Kubernetes daemonsets, you will
download
the following configuration files, edit them as required, and deploy
them.
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
HELM CHART OPTIONKubernetes also offers a package manager,
Helm, which uses charts to simplify this process.
If you are using Helm charts in your K8s environment, we recommend using
them to deploy Sysdig agents, as described
here.
Deploy the Agents
Download
the sample files:
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever name you want. In this document, we used
sysdig-agent for both the namespace and the service account.
kubectl create ns sysdig-agent
Create a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
If you are running Kubernetes 1.6 or higher, you must
Grant your user the ability to create roles in Kubernetes by
running the following command (see Google
documentation
for more):
kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin --user=your.google.cloud.email@example.org
Create a service account for the Sysdig agent using the
clusterrole.yaml file.
The Sysdig agent must be granted read-only access to certain
Kubernetes APIs, which the agent uses to populate metadata and
provide component metrics.
Sysdig provides a config file in GitHub. Deploying this file creates
a cluster role and service account in Kubernetes, and defines
cluster role binding that grants the Sysdig agent rules in the
cluster role.
Run the following commands (using whatever namespace you defined in
Step 2):
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
kubectl create serviceaccount sysdig-agent -n sysdig-agent
kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit sysdig-agent-configmap.yaml to add the collector address,
port, and the SSL/TLS information :
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
(All installs) Apply the sysdig-agent-configmap.yaml file using
the command:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
FOR GKE COS ONLY: To enable the eBPF probe required for COS,
uncomment the following parameters in
sysdig-agent-daemonset-v2.yaml under the env section:
env:
- name: SYSDIG_BPF_PROBE
value: ""
Apply the sysdig-agent-service.yaml file:
kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the
Kubernetes API server. See Kubernetes Audit
Logging for information
on enabling Kubernetes audit logging.
(All installs) Apply the daemonset-v2.yaml file using the command:
kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described below.Getting
Started with Sysdig Monitor
Enable Kube State Metrics and Cluster Name
These steps are optional but recommended.
Edit sysdig-agent-configmap.yaml to uncomment the line:
new_k8s: true
This allows kube state metrics to be automatically detected,
monitored, and displayed in Sysdig Monitor.
For more information, see the Kube State
Metrics
entry in the Sysdig blog.
As of agent 9.6.0, new_k8s is enabled by default.
Edit sysdig-agent-configmap.yaml to uncomment the line:
**k8s_cluster_name: **and add your cluster name.
Setting cluster name here allows you to view, scope, and segment
metrics in the Sysdig Monitor UI by the Kubernetes cluster.
Note: Alternatively, if you assign a tag with “cluster” in the
tag name, Sysdig Monitor will display that as the Kubernetes cluster
name.
Apply the configmap changes using the command:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Proceed to verify the metrics in the Sysdig Monitor UI.
There are two ways to update the agent
configuration
Option 1: Edit the files locally and apply the changes with
kubectl apply -f:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Option 2: Use kubectl edit to edit files on the fly:
kubectl edit configmap sysdig-agent -n sysdig-agent
Running agents will automatically pick the new configuration after
Kubernetes pushes the changes across all the nodes in the cluster.
Verify Metrics in Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the
metrics are detected and collected appropriately.
The steps below give one way to do the check.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for US East, the URL is
https://app.sysdigcloud.com.
For other regions, the format is
https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the Explore tab to see if metrics are displayed.
(Once you have enabled new_k8s:true): To verify that kube state
metrics and cluster name are working correctly: Select the Explore
tab and create a grouping by kubernetes.cluster.name and
kubernetes.pod.name.
As of agent 9.6.0, new_k8s is enabled by default.
Select an individual container or pod to see details.
Kubernetes metadata (pods, deployments etc.) appear a minute or two
later than the nodes/containers themselves; if pod names do not appear
immediately, wait and retry the Explore view.
If agents are disconnecting, there could be an issue with your MAC
addresses. See Troubleshooting Agent
Installation for tips.
Additional Options
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com.
The sysdig-agent-configmap.yaml file can be edited either locally or
using the edit command in Kubernetes. refer to the section above for
more information.
To configure the collector IP in a Kubernetes SaaS instance:
Open sysdig-agent-configmap.yaml in a text editor.
Uncomment the following lines:
Set the collector: value to
collector-static.sysdigcloud.com
Set the collector_port: value to 6443
Save the file.
The example file below shows how the sysdig-agent-configmap.yaml file
should look after configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-agent
data:
dragent.yaml: |
### Agent tags
# tags: linux:ubuntu,dept:dev,local:nyc
#### Sysdig Software related config ####
# Sysdig collector address
collector: collector-static.sysdigcloud.com
# Collector TCP port
collector_port: 6443
# Whether collector accepts ssl/TLS
ssl: true
# collector certificate validation
ssl_verify_certificate: true
# Sysdig Secure
security:
enabled: true
#######################################
# new_k8s: true
# k8s_cluster_name: production
1.1.3.3 -
Steps for OpenShift
Review the Prerequisites in Agent Install: Kubernetes | GKE |
OpenShift | IBM and the
Host Requirements for Agent
Installation, then proceed
with the installation.
The Sysdig agent requires kernel header files to install successfully on
a host.
This setup step is required for some environments and not others, as
noted.
If the hosts in your environment match the pre-compiled kernel modules
available from Sysdig, no special action is required.
In some cases, the host(s) in your environment may use Unix versions
that do not match the provided headers, and the agent may fail to
install correctly. In those cases, you must install the kernel headers
manually.
To do so:
For Debian-style distributions, run the command:
apt-get -y install linux-headers-$(uname -r)
For RHEL-style distributions, run the command:
yum -y install kernel-devel-$(uname -r)
Background info: see also About Kernel Headers and the Kernel
Module.
If you are using Red Hat OpenShift, these steps are required. They
describe how to create a project, assign and label the node selector,
create a privileged service account, and add it to a cluster role.
Copy/Paste Sample Code Block
In the example code, this document uses sysdig-agent for the
PROJECT NAME (-n), the SERVICE ACCOUNT (-z), and the NODE SELECTOR.
You can copy-paste the code as-is, or follow the steps below to
customize your naming conventions.
oc adm new-project sysdig-agent --node-selector='app=sysdig-agent'
oc label node --all "app=sysdig-agent"
oc project sysdig-agent
oc create serviceaccount sysdig-agent
oc adm policy add-scc-to-user privileged -n sysdig-agent -z sysdig-agent
oc adm policy add-cluster-role-to-user cluster-reader -n sysdig-agent -z sysdig-agent
Customize the Code
You can use your own Project Name and Node Selector names if
desired.
Note that if you use a different Service Acccount name, you will
need to edit the default service account in the Sysdig Installation
Steps, below.
Create a new OpenShift project for the Sysdig agent deployment and
assign the node selector:
oc adm new-project PROJECT-NAME --node-selector="app=APP-NAME"
Label the node with the node selector:
oc label node --all "app=APP-NAME"
Change to the new OpenShift Project for the Sysdig agent deployment:
oc project PROJECT-NAME
Create a service account for the project:
oc create serviceaccount SERVICE-ACCOUNT
Add the service account to privileged Security Context
Constraints:
oc adm policy add-scc-to-user privileged -n PROJECT-NAME -z SERVICE-ACCOUNT
Add the service account to the cluster-reader Cluster Role:
oc adm policy add-cluster-role-to-user cluster-reader -n PROJECT-NAME -z SERVICE-ACCOUNT
Sysdig Installation Steps
To deploy agents using Kubernetes daemonsets, you
download
the configuration files, edit them as required, and deploy them.
sysdig-agent-daemonset-v2.yaml
HELM CHART OPTIONKubernetes also offers a package manager,
Helm, which uses charts to simplify this process.
If you are using Helm charts in your K8s environment, we recommend using
them to deploy Sysdig agents, as described
here.
Deploy the Agents
Download
the sample files:
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a secret key using the command:
oc create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
If you created a service account name other than sysdig-agent:
Edit sysdig-agent-daemonset-v2.yamlto provide your custom value:``
serviceAccount: sysdig-agent
Edit sysdig-agent-configmap.yaml to add the collector address,
port, and the SSL/TLS information:
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
(All installs) Apply the sysdig-agent-configmap.yaml file using
the command:
oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Apply the sysdig-agent-service.yaml file:
oc apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the
Kubernetes API server. See Kubernetes Audit
Logging for information
on enabling Kubernetes audit logging.
(All installs) Apply the daemonset-v2.yaml file:
oc apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described below.Getting
Started with Sysdig Monitor
Enable Kube State Metrics and Cluster Name
These steps are optional but recommended.
Edit sysdig-agent-configmap.yaml to uncomment the line:
new_k8s: true
This allows kube state metrics to be automatically detected,
monitored, and displayed in Sysdig Monitor.
For more information, see the Kube State
Metrics
entry in the Sysdig blog.
As of agent 9.6.0, new_k8s is enabled by default.
Edit sysdig-agent-configmap.yaml to uncomment the line:
**k8s_cluster_name: **and add your cluster name.
Setting cluster name here allows you to view, scope, and segment
metrics in the Sysdig Monitor UI by the Kubernetes cluster.
Note: Alternatively, if you assign a tag with “cluster” in the
tag name, Sysdig Monitor will display that as the Kubernetes cluster
name.
Apply the configmap changes using the command:
oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Proceed to verify the metrics in the Sysdig Monitor UI.
There are two ways to update the agent
configuration
Option 1: Edit the files locally and apply the changes with
oc apply -f:
oc apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Option 2: Use oc edit to edit files on the fly:
oc edit configmap sysdig-agent -n sysdig-agent
Running agents will automatically pick the new configuration after
Kubernetes pushes the changes across all the nodes in the cluster.
Verify Metrics in Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the
metrics are detected and collected appropriately.
The steps below give one way to do the check.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for US East, the URL is
https://app.sysdigcloud.com.
For other regions, the format is
https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the Explore tab to see if metrics are displayed.
(Once you have enabled new_k8s:true): To verify that kube state
metrics and cluster name are working correctly: Select the Explore
tab and create a grouping by kubernetes.cluster.name and
kubernetes.pod.name.
As of agent 9.6.0, new_k8s is enabled by default.
Select an individual container or pod to see details.
Kubernetes metadata (pods, deployments etc.) appear a minute or two
later than the nodes/containers themselves; if pod names do not appear
immediately, wait and retry the Explore view.
If agents are disconnecting, there could be an issue with your MAC
addresses. See Troubleshooting Agent
Installation for tips.
Additional Options
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com.
The sysdig-agent-configmap.yaml file can be edited either locally or
using the edit command in Kubernetes. refer to the section above for
more information.
To configure the collector IP in a Kubernetes SaaS instance:
Open sysdig-agent-configmap.yaml in a text editor.
Uncomment the following lines:
Set the collector: value to
collector-static.sysdigcloud.com
Set the collector_port: value to 6443
Save the file.
The example file below shows how the sysdig-agent-configmap.yaml file
should look after configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-agent
data:
dragent.yaml: |
### Agent tags
# tags: linux:ubuntu,dept:dev,local:nyc
#### Sysdig Software related config ####
# Sysdig collector address
collector: collector-static.sysdigcloud.com
# Collector TCP port
collector_port: 6443
# Whether collector accepts ssl/TLS
ssl: true
# collector certificate validation
ssl_verify_certificate: true
# Sysdig Secure
security:
enabled: true
#######################################
# new_k8s: true
# k8s_cluster_name: production
1.1.3.4 -
Steps for Rancher
Preparation
General Requirements
You can review Agent Install: Kubernetes | GKE | OpenShift |
IBM and the Host
Requirements for Agent
Installation for additional
context if desired.
The Sysdig agent requires a kernel module in order to be installed
successfully on a host. On RancherOS distributions, the Unix version
does not match the provided headers, and the agent might fail to install
correctly. Therefore, you must install the kernel headers manually.
For RancherOS distributions, the kernel headers are available in the
form of a system service and therefore are enabled using the ros
service command:
$ sudo ros service enable kernel-headers-system-docker
$ sudo ros service up -d kernel-headers-system-docker
Some cloud hosting service providers supply pre-configured Linux
instances with customized kernels. You may need to contact your
provider’s support desk for instructions on obtaining appropriate header
files, or for installing the distribution’s default kernel.
Install Agent
To deploy agents using Kubernetes daemonsets,
download
the following configuration files, edit them as required, and deploy
them.
sysdig-agent-clusterrole.yaml
sysdig-agent-service.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
HELM CHART OPTIONKubernetes also offers a package manager,
Helm, which uses charts to simplify this process.
If you are using Helm charts in your K8s environment, we recommend using
them to deploy Sysdig agents, as described
here.
Deploy Agent
Download
the sample files:
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever naming you prefer. In this document, we used
sysdig-agent for both the namespace and the service account.
The default service account name was automatically defined in
sysdig-agent-daemonset-v2.yaml, at the line:
serviceAccount: sysdig-agent.
kubectl create ns sysdig-agent
Create a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
Create a cluster role and service account, and define the cluster
role bindingthat grants the Sysdig agent rules in the cluster role,
using the commands:
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
kubectl create serviceaccount sysdig-agent -n sysdig-agent
kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit sysdig-agent-configmap.yaml to add the collector address ,
port , and the SSL/TLS information:
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
(All installs) Apply the sysdig-agent-configmap.yaml file:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
(All installs) Apply the sysdig-agent-service.yaml file:
kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the
Kubernetes API server. See Kubernetes Audit
Logging for information
on enabling Kubernetes audit logging.
(All installs) Apply the daemonset-v2.yaml file :
kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed. See Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described below.Getting
Started with Sysdig Monitor
Enable Kube State Metrics and Cluster Name
These steps are optional but recommended.
Edit sysdig-agent-configmap.yaml to uncomment the line:
new_k8s: true
This allows kube state metrics to be automatically detected,
monitored, and displayed in Sysdig Monitor.
For more information, see the Kube State
Metrics
entry in the Sysdig blog.
As of agent 9.6.0, new_k8s is enabled by default.
Edit sysdig-agent-configmap.yaml to uncomment the line:
**k8s_cluster_name: **and add your cluster name.
Setting cluster name here allows you to view, scope, and segment
metrics in the Sysdig Monitor UI by the Kubernetes cluster.
Note: Alternatively, if you assign a tag with “cluster” in the
tag name, Sysdig Monitor will display that as the Kubernetes cluster
name.
Apply the configmap changes using the command:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Proceed to verify the metrics in the Sysdig Monitor UI.
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com.
The sysdig-agent-configmap.yaml file can be edited either locally or
using the edit command in Kubernetes. refer to the section above for
more information.
To configure the collector IP in a Kubernetes SaaS instance:
Open sysdig-agent-configmap.yaml in a text editor.
Uncomment the following lines:
Set the collector: value to
collector-static.sysdigcloud.com
See SaaS Regions and IP
Ranges and identify the
correct URL associated with your Sysdig collector and region.
Set the collector_port: value to 6443
Save the file.
The example file below shows how the sysdig-agent-configmap.yaml file
should look after configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-agent
data:
dragent.yaml: |
### Agent tags
# tags: linux:ubuntu,dept:dev,local:nyc
#### Sysdig Software related config ####
# Sysdig collector address
collector: collector-static.sysdigcloud.com
# Collector TCP port
collector_port: 6443
# Whether collector accepts ssl/TLS
ssl: true
# collector certificate validation
ssl_verify_certificate: true
# Sysdig Secure
security:
enabled: true
#######################################
# new_k8s: true
# k8s_cluster_name: production
Verify Metrics in Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the
metrics are detected and collected appropriately.
Kubernetes metadata (pods, deployments etc.) appear a minute or two
later than the nodes/containers themselves; if pod names do not appear
immediately, wait and retry the Explore view.
If agents are disconnecting, there could be an issue with your MAC
addresses. See Troubleshooting Agent
Installation for tips.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for US East, the URL is
https://app.sysdigcloud.com.
For other regions, the format is
https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the Explore tab to see if metrics are displayed.
(Once you have enabled new_k8s:true): To verify that kube state
metrics and cluster name are working correctly: Select the Explore
tab and create a grouping by kubernetes.cluster.name and
kubernetes.pod.name.
As of agent 9.6.0, new_k8s is enabled by default.
Select an individual container or pod to see details.
1.1.4 -
Agent Install: Non-Orchestrated
This section describes how to install the Sysdig agent directly on a
Linux host, without using an orchestrator, such as Kubernetes or Mesos.
The agent can be installed in two ways:
As a standard container
If you want to install the lighter version of the Sysdig agent, see
Install Slim Agent.
As a non-containerized service
The steps for each flavor differ slightly depending on whether you are
using the SaaS or on-premises version of the Sysdig platform.
If you are installing the Sysdig agent in an environment that has
Kubernetes, use the Agent Install:
Kubernetes instructions
instead.
Prerequisites
On kernel headers: The Sysdig agent requires kernel header files in
order to install successfully on a host, and the agent is delivered with
precompiled headers. If the hosts in your environment match the kernel
versions included with the agent, no special action is needed.
In some cases, the host(s) in your environment may use Unix versions
that do not match the provided headers, and the agent may fail to
install correctly. In those cases, you must install the kernel headers
manually. See About Kernel Headers and the Kernel
Module for details.
Run any commands as root or with the sudo command.
Have your Sysdig access key on hand.
If you launch an agent install from
www.sysdig.com, the welcome wizard will
present an access key.
Docker Container Agent Installation
The Sysdig agent can be deployed as a Docker container.
The commands below can also be copy/pasted from the Welcome Wizard or
the Agent Installation
page in the Sysdig UI.
In that case, your access key will already be included in the command
automatically.
SaaS
Run the agent image, providing the access key and (optional)
user-defined tags:
docker run -d --name sysdig-agent \
--restart always \
--privileged \
--net host \
--pid host\
-e ACCESS_KEY=[ACCESS_KEY] \
-e COLLECTOR=[COLLECTOR_ADDRESS] \
-e TAGS=[TAGS] \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro --shm-size=512m sysdig/agent
For the COLLECTOR, find the address for your
region.
On-Premises
Provide collector and SSL/TLS information in addition to access key and
optional tags:
docker run -d --name sysdig-agent \
--restart always \
--privileged \
--net host \
--pid host \
-e ACCESS_KEY=[ACCESS_KEY] \
-e COLLECTOR=[COLLECTOR_ADDRESS] \
-e SECURE=true \
-e CHECK_CERTIFICATE=true \
[-e TAGS=[TAGS]]
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro --shm-size=512m sysdig/agent
CHECK_CERTIFICATE should be set to false if a self-signed
certificate or private, CA-signed cert is used.
Service Agent Installation on Linux Host
Use these instructions to install the agent on the host itself, not in a
container. Install on each host in the environment.
The command lines below can also be copy/pasted from the Welcome wizard
or the Settings>Agent Installation page in the Sysdig Monitor
interface.
In that case, your access key will already be included in the command
automatically.
The Sysdig agent depends on several python modules, some of which might
not be installed on the hosts where the agent is running as a service.
When the required dependencies are not available, the sdchecks
component in the agent will report errors in the log files, such as:
>> Error, sdchecks[0] ModuleNotFoundError: No module named 'posix_ipc'
To address these errors, install the missing modules using the
pip install command.
SaaS
Run the following command:
curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] [--tags [TAGS]]
Where [ACCESS_KEY] is your unique agent access key string. For
example, 1234-your-key-here-1234. [TAGS] is an optional list of
user-defined agent tags. For example,
role:webserver,location:europe.
Find the collector endpoint for your region listed
here.
Make sure restarting the agent results in starting the service:
sudo systemctl enable dragent
On-Premises
Run the following command:
curl -s https://download.sysdig.com/stable/install-agent | sudo bash -s -- --access_key [ACCESS_KEY] --collector [COLLECTOR_ADDRESS] --secure true --check_certificate true [--tags [TAGS]]
check_certificate should be set to false if a self-signed
certificate, a private, or a CA-signed certificate is used. See
information about SSL in on-premises
here.
Make sure restarting the agent results in starting the service:
sudo systemctl enable dragent
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com:
user@host:~$ docker run --name sysdig-agent \
--privileged \
--net host \
--pid host \
-e ACCESS_KEY=[ACCESS_KEY] \
-e TAGS=[TAGS] \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-e COLLECTOR=collector-static.sysdigcloud.com \
-e COLLECTOR_PORT=6443 \
-e SECURE=true \
-e CHECK_CERTIFICATE=true \
--shm-size=512m \
sysdig/agent
Note on Manual Agent Installation
In the following cases, it may be preferable to perform a manual
installation.
If desired, see Agent Install: Manual Linux
Installation.
1.1.5 -
Install Slim Agent
The slim agent is a lighter version of the Sysdig agent that is created
by splitting the regular agent image into two components responsible for
different functions. The slim agent reduces the surface area of attack
for potential vulnerabilities and is, therefore, more secure.
You install the slim agent package as two separate containers:
agent-kmodule: Responsible for downloading and building the kernel
module. The image is short-lived. The container exits after the
kernel module is loaded. The transient nature of the container
reduces the time and opportunities for exploiting any potential
vulnerabilities present in the container image.
Prerequisites: The package depends on Dynamic Kernel Module
Support (DKMS) and requires the compiler and kernel headers
installed if you are using the agent-kmodule to build the kernel
probe. Alternatively, you can use it without the kernel headers. In
such cases, the agent-kmodule will attempt to download a pre-built
kernel probe if it is present in the Sysdig probe repository.
The module contains:
agent-slim: Responsible for running the agent module once the
kernel module has been loaded. When the slim agent is up and running
it functions the same way as the regular agent.
Install Slim Agent in a Non-Orchestrated Environment
The agent is installed by running sysdig/agent-kmodule first, followed
by running sysdig/agent-slim.
Every host restart requires subsequent running of agent-kmodule and
agent-slim containers.
Build and load the kernel module:
docker run -it --privileged --rm --name sysdig-agent-kmodule -v /usr:/host/usr:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro sysdig/agent-kmodule
Run the agent module:
docker run -d --name sysdig-agent \
--privileged \
--net host \
--pid host\
-e ACCESS_KEY=[ACCESS_KEY] \
-e COLLECTOR=[COLLECTOR_ADDRESS] \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /dev:/host/dev \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
sysdig/agent-slim
Install Slim Agent on Kubernetes
The agent is installed by scheduling both the agent-kmodule and
agent-slim containers into a single daemonset. The agent-kmodule
container is defined as an init container, which ensures that it runs
first and must succeed in order for the other containers to run.
The slim agent is not supported on GKE clusters running on COS
(Container Optimized OS).
Download sysdig-agent-slim-daemonset-v2.yaml, edit it as required,
and deploy.
An example daemonset is given below:
### WARNING: this file is supported from Sysdig Agent 0.80.0
# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: sysdig-agent
labels:
app: sysdig-agent
spec:
selector:
matchLabels:
app: sysdig-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: sysdig-agent
spec:
volumes:
- name: modprobe-d
hostPath:
path: /etc/modprobe.d
- name: dshm
emptyDir:
medium: Memory
- name: dev-vol
hostPath:
path: /dev
- name: proc-vol
hostPath:
path: /proc
- name: boot-vol
hostPath:
path: /boot
- name: modules-vol
hostPath:
path: /lib/modules
- name: usr-vol
hostPath:
path: /usr
- name: run-vol
hostPath:
path: /run
- name: varrun-vol
hostPath:
path: /var/run
- name: sysdig-agent-config
configMap:
name: sysdig-agent
optional: true
- name: sysdig-agent-secrets
secret:
secretName: sysdig-agent
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
# The following line is necessary for RBAC
serviceAccount: sysdig-agent
terminationGracePeriodSeconds: 5
initContainers:
- name: sysdig-agent-kmodule
image: sysdig/agent-kmodule
imagePullPolicy: Always
securityContext:
privileged: true
resources:
requests:
cpu: 1000m
memory: 384Mi
limits:
memory: 512Mi
volumeMounts:
- mountPath: /etc/modprobe.d
name: modprobe-d
readOnly: true
- mountPath: /host/boot
name: boot-vol
readOnly: true
- mountPath: /host/lib/modules
name: modules-vol
readOnly: true
- mountPath: /host/usr
name: usr-vol
readOnly: true
containers:
- name: sysdig-agent
# WARNING: the agent-slim release is currently dependent on the above
# initContainer and thus only functions correctly in a kubernetes cluster
image: sysdig/agent-slim
imagePullPolicy: Always
securityContext:
privileged: true
resources:
# Resources needed are subjective to the actual workload.
# Please refer to Sysdig Support for more info.
requests:
cpu: 600m
memory: 512Mi
limits:
cpu: 2000m
memory: 1536Mi
readinessProbe:
exec:
command: [ "test", "-e", "/opt/draios/logs/running" ]
initialDelaySeconds: 10
volumeMounts:
- mountPath: /host/dev
name: dev-vol
readOnly: false
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/run
name: run-vol
- mountPath: /host/var/run
name: varrun-vol
- mountPath: /dev/shm
name: dshm
- mountPath: /opt/draios/etc/kubernetes/config
name: sysdig-agent-config
- mountPath: /opt/draios/etc/kubernetes/secrets
name: sysdig-agent-secrets
See Sysdig Cloud
Scripts
for the latest daemonset.
Create a namespace to use for the Sysdig agent.
# kubectl create ns sysdig-agent
You can use whatever naming you prefer. In this document, we
used sysdig-agent for both the namespace and the service account.
The default service account name was automatically defined
in sysdig-agent-slim-daemonset-v2.yaml, at the
line: serviceAccount: sysdig-agent.
Create a secret key:
# kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
Create a cluster role and service account, and define the cluster
role binding that grants the Sysdig agent rules in the cluster role,
using the commands:
# kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
# kubectl create serviceaccount sysdig-agent -n sysdig-agent
# kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit sysdig-agent-configmap.yaml to add the
collector``address``` and portand theSSL/TLS` information :
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
Apply the configuration changes:
# kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Deploy the kernel module and slim agent containers using the
daemonset:
# kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described in the following sections:Getting
Started with Sysdig Monitor
Install Slim Agent on GKE
The agent is installed by scheduling both the agent-kmodule and
agent-slim containers into a single daemonset. The agent-kmodule
container is defined as an init container, which ensures that it runs
first and must succeed in order for the other containers to run.
Download sysdig-agent-slim-daemonset-v2.yaml.
An example daemonset is given below:
### WARNING: this file is supported from Sysdig Agent 0.80.0
# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: sysdig-agent
labels:
app: sysdig-agent
spec:
selector:
matchLabels:
app: sysdig-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: sysdig-agent
spec:
volumes:
- name: modprobe-d
hostPath:
path: /etc/modprobe.d
### uncomment for minikube
# - name: etc-version
# hostPath:
# path: /etc/VERSION
# type: FileOrCreate
- name: dshm
emptyDir:
medium: Memory
- name: dev-vol
hostPath:
path: /dev
- name: proc-vol
hostPath:
path: /proc
- name: boot-vol
hostPath:
path: /boot
- name: modules-vol
hostPath:
path: /lib/modules
- name: usr-vol
hostPath:
path: /usr
- name: run-vol
hostPath:
path: /run
- name: varrun-vol
hostPath:
path: /var/run
- name: sysdig-agent-config
configMap:
name: sysdig-agent
optional: true
- name: sysdig-agent-secrets
secret:
secretName: sysdig-agent
# This section is for eBPF support. Please refer to Sysdig Support before
# uncommenting, as eBPF is recommended for only a few configurations.
- name: bpf-probes
emptyDir: {}
- name: osrel
hostPath:
path: /etc/os-release
type: FileOrCreate
hostNetwork: true
hostPID: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
# The following line is necessary for RBAC
serviceAccount: sysdig-agent
terminationGracePeriodSeconds: 5
initContainers:
- name: sysdig-agent-kmodule
image: quay.io/sysdig/agent-kmodule
imagePullPolicy: Always
securityContext:
privileged: true
resources:
requests:
cpu: 1000m
memory: 384Mi
limits:
memory: 512Mi
# This section is for eBPF support. Please refer to Sysdig Support before
# uncommenting, as eBPF is recommended for only a few configurations.
env:
- name: SYSDIG_BPF_PROBE
value: ""
volumeMounts:
- mountPath: /etc/modprobe.d
name: modprobe-d
readOnly: true
### uncomment for minikube
# - mountPath: /host/etc/VERSION
# name: etc-version
# readOnly: true
- mountPath: /host/boot
name: boot-vol
readOnly: true
- mountPath: /host/lib/modules
name: modules-vol
readOnly: true
- mountPath: /host/usr
name: usr-vol
readOnly: true
# This section is for eBPF support. Please refer to Sysdig Support before
# uncommenting, as eBPF is recommended for only a few configurations.
- mountPath: /root/.sysdig
name: bpf-probes
- mountPath: /host/etc/os-release
name: osrel
readOnly: true
containers:
- name: sysdig-agent
# WARNING: the agent-slim release is currently dependent on the above
# initContainer and thus only functions correctly in a kubernetes cluster
image: quay.io/sysdig/agent-slim
imagePullPolicy: Always
securityContext:
privileged: true
resources:
# Resources needed are subjective to the actual workload.
# Please refer to Sysdig Support for more info.
requests:
cpu: 600m
memory: 512Mi
limits:
cpu: 2000m
memory: 1536Mi
readinessProbe:
exec:
command: [ "test", "-e", "/opt/draios/logs/running" ]
initialDelaySeconds: 10
# This section is for eBPF support. Please refer to Sysdig Support before
# uncommenting, as eBPF is recommended for only a few configurations.
env:
- name: SYSDIG_BPF_PROBE
value: ""
volumeMounts:
- mountPath: /host/dev
name: dev-vol
readOnly: false
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/run
name: run-vol
- mountPath: /host/var/run
name: varrun-vol
- mountPath: /dev/shm
name: dshm
- mountPath: /opt/draios/etc/kubernetes/config
name: sysdig-agent-config
- mountPath: /opt/draios/etc/kubernetes/secrets
name: sysdig-agent-secrets
# This section is for eBPF support. Please refer to Sysdig Support before
# uncommenting, as eBPF is recommended for only a few configurations.
- mountPath: /root/.sysdig
name: bpf-probes
Either use the single-line command from the Getting Started
section of the Sysdig application or continue with the step 3
through 7.
$ curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- --access_key 84d1d241-cde3-4ecc-9ecf-9a735ed0df45 --collector collector-staging.sysdigcloud.com --collector_port 6443 --nodeanalyzer --api_endpoint secure-staging.sysdig.com
Ensure that you uncomment the following sections:
eBPF Probes under spec volume:
- name: bpf-probes
emptyDir: {}
- name: osrel
hostPath:
path: /etc/os-release
type: FileOrCreate
Environment variable for eBPF under initContainers:
env:
- name: SYSDIG_BPF_PROBE
value: ""
Mount path for eBPF under initContainers:
- mountPath: /root/.sysdig
name: bpf-probes
- mountPath: /host/etc/os-release
name: osrel
readOnly: true
Environment variable for eBPF under sysdig-agent:
env:
- name: SYSDIG_BPF_PROBE
value: ""
Mount path for eBPF under volume mounts
- mountPath: /root/.sysdig
name: bpf-probesenv:
Create a namespace to use for the Sysdig agent.
$ kubectl create ns sysdig-agent
You can use whatever naming you prefer. In this document, we
used sysdig-agent for both the namespace and the service account.
The default service account name was automatically defined
in sysdig-agent-slim-daemonset-v2.yaml, at the
line: serviceAccount: sysdig-agent.
Create a secret key:
$ kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
Create a cluster role and service account, and define the cluster
role binding that grants the Sysdig agent rules in the cluster role,
using the commands:
$ kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
$ kubectl create serviceaccount sysdig-agent -n sysdig-agent
$ kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit sysdig-agent-configmap.yaml to add the
collector``address``` and portand theSSL/TLS` information :
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
Apply the configuration changes:
$ kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Deploy the kernel module and slim agent containers using the
daemonset:
# kubectl apply -f sysdig-agent-slim-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap as described in the following sections:Getting
Started with Sysdig Monitor
1.1.6 -
Agent Install: Manual Linux Installation
Manual installation of the native Linux agent is recommended in the
following cases:
Full control over the deployment process
Integration with configuration management tools
Custom kernel
Unsupported distribution (within Debian/Fedora flavors)
Otherwise, you may want to just follow the standard Installation Guide:
NOTE: If you are installing the Sysdig agent in an orchestrated
infrastructure such as Kubernetes, Mesos/Marathon, use the respective
Installation Guides:
Run the commands as root or with sudo.
Installation Options
Review the Host Requirements for Agent
Installation. Then follow
the steps for the appropriate Linux distribution, below.
Debian, Ubuntu
Trust the Sysdig Monitor GPG key, configure the apt repository, and
update the package list:
curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | apt-key add -
curl -s -o /etc/apt/sources.list.d/draios.list http://download.sysdig.com/stable/deb/draios.list
apt-get update
Install kernel development files.
The following command might not work with every kernel. Make sure to
customize the name of the package properly.
apt-get -y install linux-headers-$(uname -r)
Install, configure, and restart the Sysdig agent.
apt-get -y install draios-agent
echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
service dragent restart
Replace ACCESS_KEY with your unique access key
string.
Inability to retrieve the key indicates that the administrator of
your instance might have it turned off for non-admin users. Please
contact your Sysdig administrator to receive the key. If you still
have issues please contact Sysdig
support.
[TAGS] is an optional parameter you can use to list one or more
tags for this host (see below).
CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2
Trust the Sysdig Monitor GPG key, configure the yum repository.
$ rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
$ curl -s -o /etc/yum.repos.d/draios.repo http://download.sysdig.com/stable/rpm/draios.repo
Install the EPEL repository
The following command is required only if DKMS is not available in
the distribution. You can verify if DKMS is available with
yum list dkms
The command below contains a sample release number; be sure to
update with the correct release.
$ rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm
Install kernel development files.
The following command might not work with every kernel. Make sure to
customize the name of the package properly.
$ yum -y install kernel-devel-$(uname -r)
Install, configure, and start the Sysdig agent.
$ yum -y install draios-agent
$ echo customerid: ACCESS_KEY >> /opt/draios/etc/dragent.yaml
$ echo tags: [TAGS] >> /opt/draios/etc/dragent.yaml
$ sudo systemctl enable dragent
$ sudo systemctl start dragent
Replace ACCESS_KEY with your unique access key
string.
Inability to retrieve the key indicates that the administrator of
your instance might have it turned off for non-admin users. Please
contact your Sysdig administrator to receive the key. If you still
have issues please contact Sysdig
support.
[TAGS] is an optional parameter you can use to list one or more
tags for this host (see below).
If you using a non-systemd Linux distribution, use the service
command to start dragent.
$ service dragent restart
Other Linux Distributions
The Sysdig Agent is unsupported outside of the Debian, Fedora, and
Amazon distributions.
Tagging your hosts is highly recommended. Agent Tags allow you to sort
nodes of your infrastructure into custom groups in Sysdig Monitor.
Replace the [TAGS] parameter above with a comma-separated list of
TAG_NAME:TAG_VALUE .
For example: role:webserver,location:europe
1.1.7 -
Agent Install: IKS (IBM Cloud with Sysdig)
IBM maintains the documentation for Sysdig agent installation on IBM
Cloud Kubernetes Service (IKS).
For more information, see the IBM Cloud Monitoring with
Sysdig
documentation:
1.1.8 -
Agent Install: Mesos | Marathon | DCOS
Marathon is the container orchestration platform for Mesosphere’s
Datacenter Operating System (DC/OS) and Apache Mesos.
This guide describes how to install the Sysdig agent container on each
underlying host in your Mesos cluster. Once installed, the agent will
automatically connect to the Mesos and Marathon APIs to pull relevant
metadata about the environment and will begin monitoring all of your
hosts, apps, containers, and frameworks.
Standard Installation Instructions
Review the Host Requirements for Agent
Installation.
In this three-part installation, you:
Deploy the Sysdig agent on all Mesos Agent (aka “Slave”) nodes,
either automatically or by creating and posting a .json file to
the leader Marathon API server.
Deploy the Sysdig agent on the Mesos Master nodes.
Special configuration steps: modify the Sysdig agent config file to
monitor Marathon instances.
Deploy the Sysdig agent on your Mesos Agent nodes
Preferred Option: Automatic install (DC/OS 1.11+)
If you’re using DC/OS 1.8 or higher, then you can find Sysdig in the
Mesosphere Universe marketplace and install it from there.
It will automatically deploy the Sysdig agent container on each of your
Mesos Agent nodes as a Marathon app.
Proceed to Deploy the Sysdig
Agent.
Alternate Option: Post a .json file
If you are using a version of DC/OS earlier than 1.8 then:
Create a JSON file for Marathon, in the following format.
The COLLECTOR address comes from your own environment in on-prem
installations. For SaaS installations, find the collector endpoint
for your region listed
here.
COLLECTOR_PORT, SECURE, and CHECK_CERT are used in environments
with Sysdig’s on-premises backend installed.
{
"backoffFactor": 1.15,
"backoffSeconds": 1,
"constraints": [
[
"hostname",
"UNIQUE"
]
],
"container": {
"docker": {
"forcePullImage": true,
"image": "sysdig/agent",
"parameters": [],
"privileged": true
},
"type": "DOCKER",
"volumes": [
{
"containerPath": "/host/var/run/docker.sock",
"hostPath": "/var/run/docker.sock",
"mode": "RW"
},
{
"containerPath": "/host/dev",
"hostPath": "/dev",
"mode": "RW"
},
{
"containerPath": "/host/proc",
"hostPath": "/proc",
"mode": "RO"
},
{
"containerPath": "/host/boot",
"hostPath": "/boot",
"mode": "RO"
},
{
"containerPath": "/host/lib/modules",
"hostPath": "/lib/modules",
"mode": "RO"
},
{
"containerPath": "/host/usr",
"hostPath": "/usr",
"mode": "RO"
}
]
},
"cpus": 1,
"deployments": [],
"disk": 0,
"env": {
"ACCESS_KEY": "ACCESS_KEY=YOUR-ACCESS-KEY-HERE",
"CHECK_CERT": "false",
"SECURE": "true",
"TAGS": "example_tag:example_value",
"name": "sdc-agent",
"pid": "host",
"role": "monitoring",
"shm-size": "350m"
},
"executor": "",
"gpus": 0,
"id": "/sysdig-agent",
"instances": 1,
"killSelection": "YOUNGEST_FIRST",
"labels": {},
"lastTaskFailure": {
"appId": "/sysdig-agent",
"host": "YOUR-HOST",
"message": "Container exited with status 70",
"slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
"state": "TASK_FAILED",
"taskId": "sysdig-agent.3bb0759d-3fa3-11e9-b446-c60a7a2ee871",
"timestamp": "2019-03-06T00:03:16.234Z",
"version": "2019-03-06T00:01:57.182Z"
},
"maxLaunchDelaySeconds": 3600,
"mem": 850,
"networks": [
{
"mode": "host"
}
],
"portDefinitions": [
{
"name": "default",
"port": 10101,
"protocol": "tcp"
}
],
"requirePorts": false,
"tasks": [
{
"appId": "/sysdig-agent",
"healthCheckResults": [],
"host": "YOUR-HOST-IP",
"id": "sysdig-agent.0d5436f4-3fa4-11e9-b446-c60a7a2ee871",
"ipAddresses": [
{
"ipAddress": "YOUR-HOST-IP",
"protocol": "IPv4"
}
],
"localVolumes": [],
"ports": [
4764
],
"servicePorts": [],
"slaveId": "1fa6f2fc-95b0-445f-8b97-7f91c1321250-S2",
"stagedAt": "2019-03-06T00:09:04.232Z",
"startedAt": "2019-03-06T00:09:06.912Z",
"state": "TASK_RUNNING",
"version": "2019-03-06T00:09:04.182Z"
}
],
"tasksHealthy": 0,
"tasksRunning": 1,
"tasksStaged": 0,
"tasksUnhealthy": 0,
"unreachableStrategy": {
"expungeAfterSeconds": 0,
"inactiveAfterSeconds": 0
},
"upgradeStrategy": {
"maximumOverCapacity": 1,
"minimumHealthCapacity": 1
},
"version": "2019-03-06T00:09:04.182Z",
"versionInfo": {
"lastConfigChangeAt": "2019-03-06T00:09:04.182Z",
"lastScalingAt": "2019-03-06T00:09:04.182Z"
}
}
See Table 1: Environment Variables for Agent Config
Filef
or the Sysdig name:value definitions.
Complete the “cpus”, “mem” and “labels” (i.e. Marathon labels)
entries to fit the capacity and requirements of the cluster
environment.
Update the created.json file to the leader Marathon API server:
$ $curl -X POST http://$(hostname -i):8080/v2/apps -d @sysdig.json -H "Content-type: application/json"
Deploy the Sysdig Agent
After deploying the agent to the Mesos Agent nodes, you will install
agents on each of the Mesos Master nodes as well.
If any cluster node has both Mesos Master and Mesos Agent roles, do not
perform this installation step on that node. It already will have a
Sysdig agent installed from the procedure in step A. Running duplicate
Sysdig agents on a node will cause errors.
Use the Agent Install:
Non-Orchestrated
instructions to install the agent directly on each of your Mesos Master
nodes.
When the Sysdig agent is successfully installed on the master nodes, it
will automatically connect to the local Mesos and Marathon (if
available) API servers via http://localhost:5050 and
http://localhost:8080 respectively, to collect cluster configuration
and current state metadata in addition to host metrics.
Special Configuration Steps
In certains situations, you may need to add additional configurations to
the dragent.yaml file:
Descriptions and examples are shown below.
If the Sysdig Agent Cannot Run On the Mesos API Server
Mesos allows multiple masters. If the API server can not be instrumented
with a Sysdig agent, simply delegate ONE other node with an agent
installed to remotely receive infrastructure information from the API
server.
NOTE: If you manually configure the agent to point to a master with a
static configuration file entry, then automatic detection/following of
leader changes will no longer be enabled.
Add the following Mesos parameter to the delegated agent’s
dragent.yaml file to allow it to connect to the remote API server and
authenticate, either by:
a. Directly editing dragent.yaml on the host, or
b. Converting the YAML code to a single-line format and adding it as an
ADDITIONAL_CONF argument in a Docker command.
See Understanding the Agent Config
Files for details.
Specify the API server’s connection method, address, and port. Also
specify credentials if necessary.
YAML example:
mesos_state_uri: http://[acct:passwd@][hostname][:port]
marathon_uris:
- http://[acct:passwd@][hostname][:port]
Although marathon_uris: is an array, currently only a single “root”
Marathon framework per cluster is supported. Multiple side-by-side
Marathon frameworks should not be configured in order for our agent to
function properly. Multiple side-by-side “root” Marathon frameworks on
the same cluster are currently not supported. The only supported
multiple-Marathon configuration is with one “root” Marathon and other
Marathon frameworks as its apps.
If the Mesos API server requires authentication
If the agent is installed on the API server but the API server uses a
different port or requires authentication, those parameters must be
explicitly specified.
Add the following Mesos parameters to the API server’s dragent.yaml to
make it connect to the API server and authenticate with any unique
account and password, either by:
a. Directly editing dragent.yaml on the host, or
b. Converting the YAML code to a single-line format and adding it as an
ADDITIONAL_CONF argument in a Docker command.
See Understanding the Agent Config
Files for details.
Specify the API server’s protocol, user credentials, and port:
mesos_state_uri: http://[username:password@][hostname][:port]
marathon_uris:
- http://[acct:passwd@][hostname][:port]
*HTTPS protocol is also supported.
In troubleshooting cases where auto-detection and reporting of your
Mesos infrastructure needs to be temporarily turned off in a designated
agent:
Comment out the Mesos parameter entries in the agent’s dragent.yaml
file.
Example parameters to disable: mesos_state_uri, marathon_uris
If the agent is running on the API server (Master node) and
auto-detecting a default configuration, you can add the line:
mesos_autodetect: false
either directly in the dragent.yaml file or as an ADDITIONAL_CONF
parameter in a Docker command.
Restart the agent.
1.1.9 -
Airgapped Agent Installation
Airgapped environments are those that do not have the network access to
pull images from the container repository. Agent installation requires
sysdigcloud-probe and you cannot download a pre-compiled module in an
airgapped environment. Therefore, ensure that you compile your own
sysdigcloud-probe before installing the agent.
Prepare the Sysdig Probe Builder Images
On a machine with internet connectivity, build the Sysdig probe
container and create a tar file of the image.
Get the probe builder artifacts from the repository:
$ git clone https://github.com/draios/sysdig
$ git checkout probe-builder
$ cd sysdig
Build the container image:
$ docker build -t airgap/sysdig-probe-builder probe-builder/
Create the container and run:
$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock airgap/sysdig-probe-builder:latest -P -b airgap/
Save the images to a tar archive:
$ docker save airgap/sysdig-probe-builder | gzip > builders.tar.gz
Ensure that you make this tar available to the airgapped machines
where you intend to install the Sysdig agent.
Set Up Kernel Module
Set up a local repository to host the pre-compiled kernel module:
$ kubectl run my-nginx --image=nginx --port=80
$ kubectl expose deployment my-nginx --port=80 --type=NodePort
Copy sysdigcloud-probe to the repository you have created:
$ kubectl cp sysdigcloud-probe-<version> my-nginx-xxxxxxxx-xxxx:/usr/share/nginx
Install Agent in Docker Environment
Install Sysdig agent by pointing SYSDIG_PROBE_URL to the local
repository:
For docker-based installations:
$ docker run -d --name sysdig-agent --restart always --privileged --net host --pid host -e ACCESS_KEY=WWWWW-YYYY-XXXX-ZZZZ-123456789 -e SECURE=true -e SYSDIG_PROBE_URL=http://www.mywebserver.net:80/ -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --shm-size=512m sysdig/agent
Where -e SYSDIG_PROBE_URL=http://www.mywebserver:80/ is the local
nginx pod with the loaded module.
To use secure communication with a self-signed or untrusted
certificate, apply the -e SYSDIG_PROBE_INSECURE_DOWNLOAD=true
environment variable.
Check the agent log. You will see a similar message:
Found custom module URL http://mywebserver:80/, will use it * Trying to download precompiled module from http://mywebserver:80/sysdigcloud-probe-<version>
Continue with the instructions in Agent Install:
Non-Orchestrated.
Install Agent in Kubernetes Environment
Open your agent daemonset and update the SYSDIG_PROBE_URL to point
to the local repository:
- name: SYSDIG_PROBE_URL
value: http://www.mywebserver:80/
If you would like to use secure communication with a self-signed or
untrusted certificate, apply the SYSDIG_PROBE_INSECURE_DOWNLOAD
environment variable.
- name: SYSDIG_PROBE_INSECURE_DOWNLOAD
value: true
Continue with the instructions in Agent Install:
Kubernetes.
1.1.10 -
Troubleshooting Agent Installation
This section describes methods for troubleshooting two types of issue:
Disconnecting Agents
If agents are disconnecting, there could be problems with addresses that
need to be resolved in the agent configuration files. See also
Understanding the Agent Config
Files.
Check for Duplicate MAC addresses
The Sysdig agent will use the eth0 MAC address to identify the
different hosts within an infrastructure. In a virtualized environment,
you should confirm each of your VM’s eth0 MAC addresses are unique.
If a unique address cannot be configured, you can supply an additional
parameter in the Sysdig agent’s dragent.yaml configuration file:
machine_id_prefix: prefix
The prefix text can be any string and will be prepended to the MAC
address as reported in the Sysdig Monitor web interface’s Explore
tables.
Example: (using ADDITIONAL_CONF rather than Kubernetes
Configmap)
Here is an example Docker run command installing the parameter via the
ADDITIONAL_CONF parameter
docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=abc123-1234-abcd-4321-abc123def456 -e TAGS=tag1:value1 -e ADDITIONAL_CONF="machine_id_prefix: MyPrefix123-" -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
The resulting /opt/draios/etc/dragent.yaml config file would look like
this:
customerid:abc123-1234-abcd-4321-abc123def456
tags: tag1:value1
machine_id_prefix: MyPrefix123-
You will then see all of your hosts, provided that all the prefixes are
unique. The prefix will be visible whenever the MAC address is displayed
in any view.
See also: Agent
Configuration.
Check for Conflicting MAC addresses in GKE environments
In Google Container Engine (GKE) environments, MAC addresses could be
repeated across multiple hosts. This would cause some hosts running
Sysdig agents not to appear in your web interface.
To address this, add a unique machine ID prefix to each config you use
to deploy the agent to a given cluster (i.e. each
sysdig-daemonset.yaml
file).
Note: This example uses the
(v1) ADDITIONAL_CONF,
rather than (v2)
Configmap method.
- name: ADDITIONAL_CONF value: "machine_id_prefix: mycluster1-prefix-"
Can’t See Metrics After Agent Install
If agents were successfully installed, you could log in to the Sysdig
Monitor UI, but no metrics are displayed in the Explore panel, first
confirm that the agent license count has not been exceeded. Then check
for any proxy, firewall, or host security policies preventing proper
agent communication to the Sysdig Monitor backend infrastructure.
Check License Count
If network connectivity is good, the agent will connect to the backend
but will be disconnected after a few seconds if the license count has
been exceeded.
To check whether you are over-subscribed, go to
Settings > Subscription.
See Subscription for
details.
Check Network Policy
Agent Connection Port
Check your service provider VPC security groups to verify that network
ACLs are set to allow the agent’s outbound traffic over TCP ports. See
Sysdig Collector Ports for
the supported TCP ports for each region.
Outbound IP Addresses
Due to the distributed nature of the Sysdig Monitor infrastructure, the
agent must be open for outbound connections to
collector.sysdigcloud.com on all
outbound IP addresses.
Check Amazon’s public IP ranges
file to see all the
potential IP addresses the Sysdig agent can use to communicate with the
Sysdig backend databases.
AWS metadata is used for gathering information about the instance
itself, such as instance id, public IP address, etc.
When running on an AWS instance, access to the following AWS metadata
endpoint is also needed: 169.254.169.254
Check Local Host Policy
The agent requires access to the following local system resources in
order to gather metrics:
Read/Write access to /dev/sysdig devices.
Read access to all the files under /proc file system.
For container support, the Docker API endpoint
/var/run/docker.sock
If any settings or firewall modifications are made, you may need to
restart the agent service. In a shell on the affected instances issue
the following command:
sudo service dragent restart
1.1.11 -
Identify Agent Version
Use one of the following methods to determine the version of the agents
installed in your environment:
Explore
Segmenting metrics by using agent.version shows the installed versions
of agents in your environment. For example, segment the uptime metric
across your environment by using agent.version . Hover over the graph
to see the list of agent versions.
The image shows the list of agent versions in
n/a.
Dashboard
Use the Sysdig Agent Health Dashboard to determine the agent
versions:
Log in to the Sysdig Monitor.
Select Dashboards and expand Host Infrastructure Dashboards.
Open the Sysdig Agent Health & Status template or create your
own from the template.
The Sysdig Agent and Health & Status Dashboard shows the agent
version corresponding to each host in your environment.
1.1.12 -
Using Node Leases
The Sysdig agent uses Kubernetes
Lease
to control how and when connections are made to the Kubernetes API
Server. This mechanism prevents overloading the Kubernetes API server
with connection requests during agent bootup.
Kubernetes node leases are automatically created for agent version
12.0.0 and above. On versions prior to 12.0.0, you must configure node
leases as given in the KB article.
Prerequisites
Types of Leases
The agent creates the following leases:
Cold Start
During boot up, the Sysdig agent connects to the Kubernetes API server
to retrieve Kubernetes metadata and build a cache. The cold-start
leases control the number of agents that build up this cache at any
given time. An agent will grab a lease, build its cache, and then
release the lease so that another agent can build its cache. This
mechanism prevents agents from creating a “boot storm” which can
overwhelm the API server in large clusters.
Delegation
In Kubernetes environments, two agents are marked as delegated in each
cluster. The delegated agents are the designated agents to request
more data from the API server and produce KubeState metrics. The
delegation leases will not be released until the agent is terminated.
View Leases
To view the leases, run the following:
$ kubectl get leases -n sysdig-agent
You will see an output similar to the following:
NAME HOLDER AGE
cold-start-0 20m
cold-start-1 20m
cold-start-2 21m
cold-start-3 ip-10-20-51-167 21m
cold-start-4 21m
cold-start-5 21m
cold-start-6 20m
cold-start-7 21m
cold-start-8 20m
cold-start-9 ip-10-20-51-166 21m
delegation-0 ip-10-20-52-53 21m
delegation-1 ip-10-20-51-98 21m
Troubleshoot Leases
Verify Configuration
When lease-based delegation is working as expected, the agent logs show
one of the following:
Getting pods only for node <node>
Getting pods for all nodes.
Both (occasionally on the delegated nodes)
Run the following to confirm that it is working:
$ kubectl logs sysdig-agent-9l2gf -n sysdig-agent | grep -i "getting pods"
The configuration is working as expected if the output on a pod is
similar to the following:
2021-05-05 02:48:32.877, 15732.15765, Information, cointerface[15738]: Only getting pods for node ip-10-20-51-166.ec2.internal
Unable to Create Leases
The latest Sysdig ClusterRole is required for the agent to create
leases. If you do not have the latest ClusterRole or if you have not
configured the ClusterRole correctly, the logs show the following error:
Error, lease_pool_manager[2989554]: Cannot access leases objects: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:sysdig-agent:sysdig-agent" cannot list resource "leases" in API group "coordination.k8s.io" in the namespace "sysdig-agent"
Contact Sysdig Support for help.
Optional Agent Configuration
Several configuration options exist for leases. It is recommended to not
change the default settings unless prompted by Sysdig Customer Support.
k8s_coldstart:
enabled: <true/false>
| true above agent versions 12.0.0
| When true, the agent will attempt to create cold-start leases to control the number of agents which are allowed to build their cache at one time. |
k8s_coldstart:
max_parallel_cold_starts: <int>
| 10 | The number of cold-start leases to be created. This is the number of agents that can connect to the API Server simultaneously during agent initialization. |
k8s_coldstart:
namespace: <string>
| sysdig-agent
| The namespace to be created. This shouldn’t be needed in agent version 12.0.0 because the DownwardAPI in the ClusterRole will provide the appropriate namespace. |
k8s_coldstart:
enforce_leader_election: <true/false>
| false
| When true, the agent will not fall back to the previous method if it cannot create leases.This can be useful if the previous method caused API Server problems. |
k8s_delegation_election: <true/false>
| true above agent versions 12.0.0
| When true, the agent will create delegation leases to control which set of agents generate global cluster metrics. |
1.2 -
Agent Configuration
Out of the box, the Sysdig agent will gather and report on a wide
variety of pre-defined metrics. It can also accommodate any number of
custom parameters for additional metrics collection.
Use this section when you need to change the default or pre-defined
settings by editing the agent configuration files, or for other
special circumstances.
Integrations for Sysdig
Monitor also require
editing the agent config files.
By default, the Sysdig agent is configured to collect metric data from a
range of platforms and applications. You can edit the agent config files
to extend the default behavior, including additional metrics for JMX,
StatsD, Prometheus, or a wide range of other applications. You can also
monitor log files for
targeted text strings.
1.2.1 -
Understand the Agent Configuration
Out of the box, the Sysdig agent will gather and report on a wide
variety of pre-defined metrics. It can also accommodate any number of
custom parameters for additional metrics collection.
The agent relies on a pair of configuration files to define metrics
collection parameters:
dragent.default.yaml
| The core configuration file. You can look at it to understand more about the default configurations provided. Location: "/opt/draios/etc/dragent.default.yaml." CAUTION. This file should never be edited. |
dragent.yaml or configmap.yaml (Kubernetes)
| The configuration file where parameters can be added, either directly in YAML as name/value pairs, or using environment variables such as 'ADDITIONAL_CONF." Location: "/opt/draios/etc/dragent.yaml." |
The “dragent.yaml” file can be accessed and edited in several ways,
depending on how the agent was installed. This document describes how to
modify dragent.yaml.
One additional file, dragent.auto.yaml is also created and used in
special circumstances. See Optional: Agent
Auto-Config for more
detail.
Access and Edit the Config File
There are various ways to add or edit parameters indragent.yaml.
Option 1: With dragent.yaml (for testing)
It is possible to edit the container’s file directly on the host.
Add parameters directly in YAML.
Access dragent.yamldirectly
at"/opt/draios/etc/dragent.yaml."
Edit the file. Use proper YAML
syntax.
See the examples at the bottom of the page.
Restart the agent for changes to take effect
Option 2: With configmap.yaml(Kubernetes)
Configmap.yaml is the configuration file where parameters can be added,
either directly in YAML as name/value pairs, or using environment
variables such as ‘ADDTIONAL_CONF."
If you install agents as DaemonSets on a system running Kubernetes, you
use configmap.yaml to connect with and manipulate the
underlyingdragent.yamlfile.
See also: Agent Install: Kubernetes | GKE | OpenShift |
IBM
Add parameters directly in YAML.
Edit the files locally and apply with the changes withkubectl -f.
Access theconfigmap.yaml.
Edit the file as needed.
Apply the changes:
kubectl apply -f sysdig-agent-configmap.yaml
Running agents will automatically pick the new configuration after
Kubernetes pushes the changes across all the nodes in the cluster.
Option 3: With Docker Run (Docker)
Add-e ADDITIONAL_CONF=”<VARIABLES>”to a Docker run command, where
<VARIABLES> contains all the customized parameters you want to
include, in a single-line format.
To insert ADDITIONAL_CONF parameters in a Docker run command or a
daemonset file, you must convert the YAML code into a single-line
format.
You can do the conversion manually for short snippets. To convert longer
portions of YAML, use echo|sed commands.
In earlier versions, the Sysdig Agent connected to port 6666. This
behavior has been deprecated, as the Sysdig agent now connects to port
6443.
The basic procedure:
Write your configuration in YAML, as it would be entered directly in
dragent.yaml.
In a bash shell, use echo and sed to convert to a single
line.
sed script: " | sed -e ‘:a’ -e ‘N’ -e ‘$!ba’ -e
’s/\n/\\n/g’
Insert the resulting line into a Docker run command or add it to the
daemonset file as an ADDITIONAL_CONF.
Example: simple
Insert parameters to turn off StatsD collection and blacklist port 6443.
YAML format
statsd enabled: false blackisted_ports: - 6443
Single-line format (manual)
Use spaces, hyphens, and \n correctly when manually converting to a
single line:
ADDITIONAL_CONF="statsd:\n disabled: false\nblacklisted_ports:\n - 6443"
Here the single line is incorporated into a full agent startup Docker
command.
docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=1234-your-key-here-1234 -e TAGS=dept:sales,local:NYC -e ADDITIONAL_CONF="statsd:\n enabled: false\nblacklisted_ports:\n - 6443" -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro sysdig/agent
Example: complex
Insert parameters to override the default configuration for a RabbitMQ
app check.
YAML format
app_checks:
- name: rabbitmq
pattern:
port: 15672
conf:
rabbitmq_api_url: "http://localhost:15672/api/"
rabbitmq_user: myuser
rabbitmq_pass: mypassword
queues:
- MyQueue1
- MyQueue2
Single-line format (echo |sed)
From a bash shell, issue the echo command and sed script.
echo "app_checks:
- name: rabbitmq
pattern:
port: 15672
conf:
rabbitmq_api_url: "http://localhost:15672/api/"
rabbitmq_user: myuser
rabbitmq_pass: mypassword
queues:
- MyQueue1
- MyQueue2
" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g'
This results in the single-line format to be used with ADDITIONAL_CONF
in a Docker command or daemonset file.
"app_checks:\n - name: rabbitmq\n pattern:\n port: 15672\n conf:\n rabbitmq_api_url: http://localhost:15672/api/\n rabbitmq_user: myuser\n rabbitmq_pass: mypassword\n queues:\n - MyQueue1\n - MyQueue2\n"
If you installed the Sysdig agent in Kubernetes using a Helm
chart, then no
configmap.yaml file was downloaded. You edit dragent.yaml using Helm
syntax:
Example
$helm install --name sysdig-agent-1 --set
sysdig.settings.tags='linux:ubuntu,dept:dev,local:nyc' --set
sysdig.settings.k8s_cluster_name='my_cluster' stable/sysdig
Will be transformed into
data:
dragent.yaml: |
tags: linux:ubuntu,dept:dev,local:nyc
k8s_cluster_name: my_cluster
Table 1: Environment Variables for Agent Config File
ACCESS_KEY
| <your Sysdig access key>
| Required |
TAGS
| <meaningful tags you want applied to your instances>
| Optional. These are displayed in Sysdig Monitor for ease of use. For example: tags: linux:ubuntu,dept:dev,local:nyc
See sysdig-agent-configmap.yaml. |
COLLECTOR
| <collector-hostname.com> or 111.222.333.400
| Enter the host name or IP address of the Sysdig collector service. Note that when used within dragent.yaml, must be lowercase collector. For SaaS regions, see: SaaS Regions and IP Ranges. |
COLLECTOR_PORT
| 6443
| On-prem only. The port used by the Sysdig collector service; default 6443. |
SECURE
| "true"
| On-prem only. If using SSL/TLS to connect to collector service value = "true" otherwise "false." |
CHECK_CERTIFICATE
| "false"
| On-prem only. Set to "true" when using SSL/TLS to connect to the collector service and should check for valid SSL/TLS certificate. |
ADDITIONAL_CONF
| | Optional. A place to provide custom configuration values to the agent as environment variables . |
SYSDIG_PROBE_URL
| | Optional. An alternative URL to download precompiled kernel module. |
Sample Docker Command Using Variables
docker run --name sysdig-agent --privileged --net host --pid host -e ACCESS_KEY=3e762f9a-3936-4c60-9cf4-c67e7ce5793b -e COLLECTOR=mycollector.elb.us-west-1.amazonaws.com -e COLLECTOR_PORT=6443 -e CHECK_CERTIFICATE=false -e TAGS=my_tag:some_value -e ADDITIONAL_CONF="log:\n file_priority: debug\n console_priority: error"
-v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --shm-size=350m sysdig/agent
1.2.2 -
Agent modes provide the ability to control metric collection to fit your
scale and specific requirement. You can choose one of the following
modes to do so:
Monitor
Monitor Light
Troubleshooting
Secure
Using a stripped-down mode limits collection of unneeded metrics, which
in turn prevents the consumption of excess resources and helps reduce
expenses.
Monitor
The Monitor mode offers an extensive collection of metrics. We recommend
this mode to monitor enterprise environments.
monitor is the default mode if you are running the Enterprise
tier. To switch back to the
Monitor mode from a different mode, do one of the following:
Add the following to the dragent.yaml file and restart the agent:
feature:
mode: monitor
Remove the parameter related to the existing mode from the
dragent.yaml file and restart the agent. For example, to switch
from troubleshooting mode to monitor, delete the following
lines:
feature:
mode: troubleshooting
Monitor Light
Monitor Light caters to the users that run agents in a
resource-restrictive environment, or to those who are interested only in
a limited set of metrics.
Monitor Light provides CPU, Memory, File, File system, and Network
metrics. For more information, see Metrics Available in Monitor
Light.
Enable Monitor Light Mode
To switch to the Monitor Light mode, edit the dragent.yaml file:
Open the dragent.yaml file.
Add the following configuration parameter:
feature:
mode: monitor_light
Restart the agent.
Troubleshooting
Troubleshooting mode offers sophisticated metrics with detailed
diagnostic capabilities. Some of these metrics are heuristic in nature.
In addition to the extensive metrics available in the Monitor mode,
Troubleshooting mode provides additional metrics such as net.sql and
additional segmentation for file and network metrics. For more
information, see Additional Metrics Values Available in
Troubleshooting.
Enable Troubleshooting Mode
To switch to the Troubleshooting mode, edit the dragent.yaml file:
Open the dragent.yaml file.
Add the following configuration parameter:
feature:
mode: troubleshooting
Restart the agent.
Secure Mode
The secure mode supports only Sysdig
Secure features.
Sysdig agent collects no metrics in the secure mode, which, in turn,
minimizes network consumption and storage requirement in the Sysdig
backend. Lower resource usage can help reduce costs and improve
performance.
In the Secure mode, the Monitor UI shows no data because no metrics are
sent to the collector.
This feature requires agent v10.5.0 or above.
Enabling Secure Mode
Open the dragent``.yaml file.
Add the following:
feature:
mode: secure
Restart the agent.
1.2.2.1 -
Metrics Available in Monitor Light
Monitor Light provides cpu, memory, file, file system, and network
metrics.
| Metrics | Description |
|---|
cpu.cores.used | See System.System |
cpu.cores.used.percent | |
cpu.idle.percent | |
cpu.iowait.percent | |
cpu.nice.percent | |
cpu.stolen.percent | |
cpu.system.percent | |
cpu.used.percent | |
cpu.user.percent | |
load.average.percpu.1m | |
load.average.percpu.5m | |
load.average.percpu.15m | |
memory.bytes.available | |
memory.bytes.total | |
memory.bytes.used | |
memory.bytes.used | |
memory.bytes.virtual | |
memory.pageFault.major | |
memory.pageFault.minor | |
memory.swap.bytes.available | |
memory.swap.bytes.total | |
memory.swap.bytes.used | |
memory.swap.used.percent | |
memory.used.percent | |
file.bytes.in | |
file.bytes.out | |
file.bytes.total | |
file.iops.in | |
file.iops.out | |
file.iops.total | |
file.open.count | |
file.time.in | |
file.time.out | |
file.time.total | |
fs.bytes.free | |
fs.bytes.total | |
fs.bytes.used | |
fs.free.percent | |
fs.inodes.total.count | |
fs.inodes.used.count | |
fs.inodes.used.percent | |
fs.largest.used.percent | |
fs.root.used.percent | |
fs.used.percent | |
net.bytes.in | |
net.bytes.out | |
net.bytes.total | |
proc.count | |
thread.count | |
container.count | |
system.uptime | |
uptime | |
1.2.2.2 -
Additional Metrics Values Available in Troubleshooting
In addition to the extensive set of metrics available in the monitor
mode, additional metrics, such as net.sql and net.mongodb, as well
as additional segmentations for file and network metrics are available.
| Metrics | Additional Metrics Values Available When Segmented by | Supported Agent Versions |
|---|
file.error.total.count | file.name and file.mount labels | Version 10.1.0 or above |
file.bytes.total | | |
file.bytes.in | | |
file.bytes.out | | |
file.open.count | | |
file.time.total | | |
host.count | | |
host.error.count | | |
proc.count | | |
proc.start.count | | |
net.mongodb.collection | all | Version 10.2.0 or above |
net.mongodb.error.count | | |
net.mongodb.operation | | |
net.mongodb.request.count | | |
net.mongodb.request.time | | |
net.sql.query | all | |
net.sql.error.count | | |
net.sql.query.type | | |
net.sql.request.count | | |
net.sql.request.time | | |
net.sql.table | | |
net.http.error.count | net.http.url | Version 10.3.0 or above |
net.http.method | | |
net.http.request.count | | |
net.http.request.time | | |
net.bytes.in | | |
net.bytes.out | | |
net.request.time.worst.out | | |
net.request.count | | |
net.request.time | | |
net.bytes.total | | |
net.http.request.time.worst | all | |
1.2.2.3 -
Metrics Not Available in Essentials Mode
The following metrics will not be reported in the essentials mode when
compared with monitor mode:
| Metrics | Segmented By |
|---|
net.bytes.in | net.connection.server, net.connection.direction, net.connection.l4proto , and net.connection.client labels |
net.bytes.out | |
net.connection.count.total | |
net.connection.count.in | |
net.connection.count.out | |
net.request.count | |
net.request.count.in | |
net.request.count.out | |
net.request.time | |
net.request.time.in | |
net.request.time.out | |
net.bytes.total | |
net.mongodb.collection | all |
net.mongodb.error.count | |
net.mongodb.operation | |
net.mongodb.request.count | |
net.mongodb.request.time | |
net.sql.query | all |
net.sql.error.count | |
net.sql.query.type | |
net.sql.request.count | |
net.sql.request.time | |
net.sql.table | |
net.sql.query | all |
net.sql.error.count | |
net.sql.query.type | |
net.sql.request.count | |
net.sql.request.time | |
net.sql.table | |
net.http.method | |
net.http.request.count | |
net.http.request.time | |
net.http.statusCode | |
net.http.url | |
1.2.3 -
Enable HTTP Proxy for Agents
You can configure the agent to allow it to communicate with the Sysdig
collector through an HTTP proxy. HTTP proxy is usually configured to
offer greater visibility and better management of the network.
Agent Behaviour
The agent can connect to the collector through an HTTP proxy by sending
an HTTP CONNECT message and receiving a response. The proxy then
initiates a TCP connection to the collector. These two connections form
a tunnel that acts like one logical connection.
By default, the agent will encrypt all messages sent through this
tunnel. This means that after the initial CONNECT message and response,
all the communication on that tunnel is encrypted by SSL end-to-end.
This encryption is controlled by the top-level ssl parameter in the
agent configuration.
Optionally, the agent can add a second layer of encryption, securing the
CONNECT message and response. This second layer of encryption may be
desired in the case of HTTP authentication if there is a concern that
network packet sniffing could be used to determine the user’s
credentials. This second layer of encryption is enabled by setting the
ssl parameter to true in the http_proxy section of the agent
configuration. See
Examples
for details.
Configuration
You specify the following parameters at the same level as http_proxy
in the dragent.yaml file. These existing configuration options affect
the communication between the agent and collector (both with and without
a proxy.
ssl: If set to true, the metrics sent from the agent to the
collector are encrypted.
ssl_verify_certificate: Determines whether the agent verifies the
SSL certificate sent from the collector.
The following configuration options affect the behavior of the HTTP
Proxy setting. You specify them under the http_proxy heading in the
dragent.yaml file.
proxy_host: Indicates the hostname of the proxy server. The
default is an empty string, which implies communication through an
HTTP proxy is disabled.
proxy_port: Specifies the port on the proxy server the agent
should connect to. The default is 0, which indicates that the HTTP
proxy is disabled.
proxy_user : Required if HTTP authentication is configured. This
option specifies the username for the HTTP authentication. The
default is an empty string, which indicates that authentication is
not configured.
proxy_password : Required if HTTP authentication is configured.
This option specifies the password for the HTTP authentication. The
default is an empty string. Specifying proxy_user with no
proxy_password is allowed.
ssl: If set to true, the connection between the agent and the
proxy server is encrypted.
Note that this parameter requires the top-level ssl parameter to
be enabled, as the agent does not support SSL to the proxy but
unencrypted traffic to the collector. This additional security
prevents you from misconfiguring the agent assuming the metrics are
as well encrypted end-to-end when they are not.
ssl_verify_certificate: Determines whether the agent will verify
the certificate presented by the proxy.
This option is configured independently of the top-level
ssl_verify_certificate parameter. This option is enabled by
default. If the provided certificate is not correct, this option can
cause the connection to the proxy server to fail.
ca_certificate: The path to the CA certificate for the proxy
server. If ssl_verify_certificate is enabled, the CA certificate
must be signed appropriately.
Examples
No SSL
The following example shows no SSL connection between the agent and the
proxy server as well as between the proxy server and the collector.
collector_port: 6667
ssl: false
http_proxy:
proxy_host: squid.yourdomain.com
proxy_port: 3128
ssl: false
SSL Between Proxy and Collector
In this example, SSL is enabled only between the proxy server and the
collector.
collector_port: 6443
ssl: true
ssl_verify_certificate: true
http_proxy:
proxy_host: squid.yourdomain.com
proxy_port: 3128
SSL
The following example shows SSL is enabled between the agent and the
proxy server as well as between the proxy server and the collector.
collector_port: 6443
ssl: true
http_proxy:
proxy_host: squid.yourdomain.com
proxy_port: 3129
ssl: true
ssl_verify_certificate: true
ca_certificate: /usr/proxy/proxy.crt
SSL with Username and Password
The following configuration instructs the agent to connect to a proxy
server located at squid.yourdomain.com on port 3128. The agent will
request the proxy server to establish an HTTP tunnel to the Sysdig
collector at collector-your.sysdigcloud.com on port 6443. The agent
will authenticate with the proxy server using the given user and
password combination.
collector: collector-your.sysdigcloud.com
collector_port: 6443
http_proxy:
proxy_host: squid.yourdomain.com
proxy_port: 3128
proxy_user: sysdig_customer
proxy_password: 12345
ssl: true
ssl_verify_certificate: true
ca_certificate: /usr/proxy/proxy_cert.crt
1.2.4 -
Filter Data
The dragent.yaml file elements are wide-reaching. This section
describes the parameters to edit in dragent.yaml to perform a range of
activities:
1.2.4.1 -
Blacklist Ports
Use the blacklisted_ports parameter in the agent configuration file to
block network traffic and metrics from unnecessary network ports.
Note: Port 53 (DNS) is always blacklisted.
Access the agent configuration file, using one of the options
listed.
Add blacklisted_ports with desired port numbers.
Example (YAML):
blacklisted_ports:
- 6443
- 6379
Restart the agent (if editing dragent.yaml file directly), using
either the service dragent restart or
docker restart sysdig-agent command as appropriate.
1.2.4.2 -
Enable/Disable Event Data
Sysdig Monitor supports event integrations with certain applications by
default. The Sysdig agent will automatically discover these services and
begin collecting event data from them.
The following applications are currently supported:
Other methods of ingesting custom events into Sysdig Monitor are touched
upon in Custom Events.
By default, only a limited set of events is collected for a supported
application, and are listed in the agent’s default settings
configuration file (/opt/draios/etc/dragent.default.yaml).
To enable collecting other supported events, add an events entry to
dragent.yaml.
You can also change log entry in dragent.yaml to filter events by
severity.
Learn more about it in the following sections.
Supported Application Events
Events marked with * are enabled by default; see the
dragent.default.yaml file.
Docker Events
The following Docker events are supported.
docker:
container:
- attach # Container Attached (information)
- commit # Container Committed (information)
- copy # Container Copied (information)
- create # Container Created (information)
- destroy # Container Destroyed (warning)
- die # Container Died (warning)
- exec_create # Container Exec Created (information)
- exec_start # Container Exec Started (information)
- export # Container Exported (information)
- kill # Container Killed (warning)*
- oom # Container Out of Memory (warning)*
- pause # Container Paused (information)
- rename # Container Renamed (information)
- resize # Container Resized (information)
- restart # Container Restarted (warning)
- start # Container Started (information)
- stop # Container Stopped (information)
- top # Container Top (information)
- unpause # Container Unpaused (information)
- update # Container Updated (information)
image:
- delete # Image Deleted (information)
- import # Image Imported (information)
- pull # Image Pulled (information)
- push # Image Pushed (information)
- tag # Image Tagged (information)
- untag # Image Untaged (information)
volume:
- create # Volume Created (information)
- mount # Volume Mounted (information)
- unmount # Volume Unmounted (information)
- destroy # Volume Destroyed (information)
network:
- create # Network Created (information)
- connect # Network Connected (information)
- disconnect # Network Disconnected (information)
- destroy # Network Destroyed (information)
Kubernetes Events
The following Kubernetes events are supported.
kubernetes:
node:
- TerminatedAllPods # Terminated All Pods (information)
- RegisteredNode # Node Registered (information)*
- RemovingNode # Removing Node (information)*
- DeletingNode # Deleting Node (information)*
- DeletingAllPods # Deleting All Pods (information)
- TerminatingEvictedPod # Terminating Evicted Pod (information)*
- NodeReady # Node Ready (information)*
- NodeNotReady # Node not Ready (information)*
- NodeSchedulable # Node is Schedulable (information)*
- NodeNotSchedulable # Node is not Schedulable (information)*
- CIDRNotAvailable # CIDR not Available (information)*
- CIDRAssignmentFailed # CIDR Assignment Failed (information)*
- Starting # Starting Kubelet (information)*
- KubeletSetupFailed # Kubelet Setup Failed (warning)*
- FailedMount # Volume Mount Failed (warning)*
- NodeSelectorMismatching # Node Selector Mismatch (warning)*
- InsufficientFreeCPU # Insufficient Free CPU (warning)*
- InsufficientFreeMemory # Insufficient Free Mem (warning)*
- OutOfDisk # Out of Disk (information)*
- HostNetworkNotSupported # Host Ntw not Supported (warning)*
- NilShaper # Undefined Shaper (warning)*
- Rebooted # Node Rebooted (warning)*
- NodeHasSufficientDisk # Node Has Sufficient Disk (information)*
- NodeOutOfDisk # Node Out of Disk Space (information)*
- InvalidDiskCapacity # Invalid Disk Capacity (warning)*
- FreeDiskSpaceFailed # Free Disk Space Failed (warning)*
pod:
- Pulling # Pulling Container Image (information)
- Pulled # Ctr Img Pulled (information)
- Failed # Ctr Img Pull/Create/Start Fail (warning)*
- InspectFailed # Ctr Img Inspect Failed (warning)*
- ErrImageNeverPull # Ctr Img NeverPull Policy Violate (warning)*
- BackOff # Back Off Ctr Start, Image Pull (warning)
- Created # Container Created (information)
- Started # Container Started (information)
- Killing # Killing Container (information)*
- Unhealthy # Container Unhealthy (warning)
- FailedSync # Pod Sync Failed (warning)
- FailedValidation # Failed Pod Config Validation (warning)
- OutOfDisk # Out of Disk (information)*
- HostPortConflict # Host/Port Conflict (warning)*
replicationController:
- SuccessfulCreate # Pod Created (information)*
- FailedCreate # Pod Create Failed (warning)*
- SuccessfulDelete # Pod Deleted (information)*
- FailedDelete # Pod Delete Failed (warning)*
Enable/Disable Events Collection with events Parameter
To customize the default events collected for a specific application (by
either enabling or disabling events), add an events entry to
dragent.yaml as described in the examples below.
An entry in a section in dragent.yaml overrides the entire section
in the default configuration.
For example, the Pulling entry below will permit only kubernetes pod
Pulling events to be collected and all other kubernetes pod events
settings in dragent.default.yaml will be ignored.
However, other kubernetes sections - node and replicationController-
remain intact and will be used as specified in dragent.default.yaml.
Example 1: Collect Only Certain Events
Collect only ‘Pulling’ events from Kubernetes for pods:
events:
kubernetes:
pod:
- Pulling
Example 2: Disable All Events in a Section
To disable all events in a section, set the event section to none:
events:
kubernetes: none
docker: none
Example 3: Combine Methods
These methods can be combined. For example, disable all kubernetes node
and docker image events and limit docker container events to
[attach, commit, copy] (components events in other sections will be
collected as specified by default):
events:
kubernetes:
node: none
docker:
image: none
container:
- attach
- commit
- copy
In addition to bulleted lists, sequences can also be specified in a
bracketed single line, eg.:
events:
kubernetes:
pod: [Pulling, Pulled, Failed]
So, the following two settings are equivalent, permitting only
Pulling, Pulled, Failed events for pods to be emitted:
events:
kubernetes:
pod: [Pulling, Pulled, Failed]
events:
kubernetes:
pod:
- Pulling
- Pulled
- Failed
Change Event Collection by Severity with log Parameter
Events are limited globally at the agent level based on severity, using
the log settings in dragent.yaml.
The default setting for the events severity filter is information
(only warning and higher severity events are transmitted).
Valid severity levels are:
none, emergency, alert, critical, error, warning, notice, information, debug.
Example 1: Block Low-Severity Messages
Block all low-severity messages (notice, information, debug):
log:
event_priority: warning
Example 2: Block All Event Collection
Block all event collection:
log:
event_priority: none
For other uses of the log settings see Optional: Change the Agent Log
Level.
1.2.4.3 -
Include/Exclude Custom Metrics
For more information, see Integrate Applications (Default App
Checks).
It is possible to filter custom metrics in the following ways:
Ability to include/exclude custom metrics using configurable
patterns,
Ability to log which custom metrics are exceeding limits
After you identify those key custom metrics that must be received, use
the new ‘include’ and ‘exclude’ filtering parameters to make sure you
receive them before the metrics limit is hit.
Filter Metrics Example
Here is an example configuration entry that would be put into the agent
config file: (/opt/draios/etc/dragent.yaml)
metrics_filter:
- include: test.*
- exclude: test.*
- include: haproxy.backend.*
- exclude: haproxy.*
- exclude: redis.*
Given the config entry above, this is the action for these metrics:
test.* → send
haproxy.backend.request → send
haproxy.frontend.bytes → drop
redis.keys → drop
The semantic is: whenever the agent is reading metrics, they are
filtered according to configured filters and the filtering rule order -
the first rule that matches will be applied. Thus since the inclusion
item for test.* was listed first it will be followed and that second
‘exclude’ rule for the same exact metric entry will be ignored.
Logging Accepted/Dropped Metrics
Logging is disabled by default. You can enable logging to see which
metrics are accepted or dropped by adding the following configuration
entry into the dragent.yaml config file:
metrics_excess_log: true
When logging of excess metrics is enabled, logging occurs at INFO-level,
every 30 seconds and lasts for 10 seconds. The entries that can be seen
in /opt/draios/logs/draios.log will be formatted like this:
+/-[type] [metric included/excluded]: metric.name (filter: +/-[metric.filter])
The first ‘+’ or ‘-’, followed by ‘type’ provides an easy way to quickly
scan the list of metrics and spot which are included or excluded ('+'
means “included”, ‘-’ means “excluded”).
The second entry specifies metric type (“statsd”, “app_check”,
“service_check”, or “jmx”).
A third entry spells out whether “included” or “excluded”, followed by
the metric name. Finally, inside the last entry (in parentheses), there
is information about filter applied and its effect ('+' or ‘-’, meaning
“include” or “exclude”).
With this example filter rule set:
metrics_filter:
- include: mongo.statsd.net*
- exclude: mongo.statsd.*
We might see the following INFO-level log entries (timestamps stripped):
-[statsd] metric excluded: mongo.statsd.vsize (filter: -[mongo.statsd.*])
+[statsd] metric included: mongo.statsd.netIn (filter: +[mongo.statsd.net*])
1.2.4.4 -
Prioritize Designated Containers
To get the most out of Sysdig Monitor, you may want to customize the way
in which container data is prioritized and reported. Use this page to
understand the default behavior and sorting rules, and to implement
custom behavior when and where you need it. This can help reduce agent
and backend load by not monitoring unnecessary containers, or– if
encountering backend limits for containers– you can filter to ensure
that the important containers are always reported.
Overview
By default, a Sysdig agent will collect metrics from all containers it
detects in an environment. When reporting to the Monitor interface, it
uses default sorting behavior to prioritize what container information
to display first.
Understand Default Behavior
Out of the box, it chooses the containers with the highest
and allocates approximately 1/4 of the total limit to each stat type.
Understand Simple Container Filtering
As of agent version 0.86,
it is possible set a use_container_filter parameter in the agent
config file, tag/label specific containers, and set include/exclude
rules to push those containers to the top of the reporting hierarchy.
This is an effective sorting tool when:
You can manually mark each container with an include or exclude
tag, AND
The number of includes is small (say, less than 100)
In this case, the containers that explicitly match the include rules
will take top priority.
Understand Smart Container Reporting
In some enterprises, the number of containers is too high to tag with
simple filtering rules, and/or the include_all group is too large to
ensure that the most-desired containers are consistently reported. As of
Sysdig agent version 0.91,
you can append another parameter to the agent config file,
smart_container_reporting.
This is an effective sorting tool when:
The number of containers is large and you can’t or won’t mark each
one with include/exclude tags, AND
There are certain containers you would like to always prioritize
This helps ensure that even when there are thousands of containers in an
environment, the most-desired containers are consistently reported.
Container filtering and smart container reporting affect the monitoring
of all the processes/metrics within a container, including StatsD, JMX,
app-checks, and built-in metrics.
Prometheus metrics are attached to processes, rather than containers,
and are therefore handled differently.
The container limit is set in dragent.yaml under containers:limit:
Understand Sysdig Aggregated Container
The sydig_aggregated parameter is automatically activated when smart
container reporting is enabled, to capture the most-desired metrics from
the containers that were excluded by smart filtering and report them
under a single entity. It appears like any other container in the Sysdig
Monitor UI, with the name “sysdig_aggregated.”
Sysdig_aggregated can report on a wide array of metrics; see
Sysdig_aggregated Container
Metrics. However, because
this is not a regular container, certain limitations apply:
container_id and container_image do not exist.
The aggregated container cannot be segmented by certain metrics that
are excluded, such as process.
Some default dashboards associated with the aggregated container may
have some empty graphs.
Use Simple Container Filtering
By default, the filtering feature is turned off. It can be enabled by
adding the following line to the agent configuration:
use_container_filter: true
When enabled, the agent will follow include/exclude filtering rules
based on:
The default behavior in default.dragent.yaml excludes based on a
container label (com.sysdig.report) and/or a Kubernetes pod
annotation (.sysdig.com/report ).
Container Condition Parameters and Rules
Parameters
The condition parameters are described in the following table:
container.image
| Matches if the process is running inside a container running the specified image | - include:
container.image: luca3m/prometheus-java-app
|
container.name
| Matches if the process is running inside a container with the specified name | - include:
container.name: my-java-app
|
container.label.*
| Matches if the process is running in a container that has a Label matching the given value | - include:
container.label.class: exporter
|
kubernetes.<object>.annotation.* kubernetes.<object>.label.*
| Matches if the process is attached to a Kubernetes object (Pod, Namespace, etc.) that is marked with the Annotation/Label matching the given value. | - include:
kubernetes.pod.annotation.prometheus.io/scrape: true
|
all | Matches all. Use as last rule to determine default behavior. | - include:
all
|
Rules
Once enabled (when use_container_filter: true is set), the agent will
follow filtering rules from the container_filter section.
Each rule is an include or exclude rule which can contain one or
more conditions.
The first matching rule in the list will determine if the container
is included or excluded.
The conditions consist of a key name and a value. If the given key
for a container matches the value, the rule will be matched.
If a rule contains multiple conditions they all need to match for
the rule to be considered a match.
Default Configuraton
The dragent.default.yaml contains the following default configuration
for container filters:
use_container_filter: false
container_filter:
- include:
container.label.com.sysdig.report: true
- exclude:
container.label.com.sysdig.report: false
- include:
kubernetes.pod.annotation.sysdig.com/report: true
- exclude:
kubernetes.pod.annotation.sysdig.com/report: false
- include:
all
Note that it excludes via a container.label and by a
kubernetes.pod.annotation.
The examples on this page show how to edit in the dragent.yaml file
directly. Convert the examples to Docker or Helm commands, if applicable
for your situation.
Enable Container Filtering in the Agent Config File
Option 1: Use the Default Configuration
To enable container filtering using the default configuration in
default.dragent.yaml (above), follow the steps below.
1. Apply Labels and/or Annotations to Designated Containers
To set up, decide which containers should be excluded from automatic
monitoring.
Apply the container label .com.sysdig.report and/or the Kubernetes
pod annotation sysdig.com/report to the designated containers.
2. Edit the Agent Configuration
Add the following line to dragent.yaml to turn on the default
functionality:
use_container_filter: true
Option 2: Define Your Own Rules
You can also edit dragent.yaml to apply your own container filtering
rules.
1. Designate Containers
To set up, decide which containers should be excluded from automatic
monitoring.
Note the image, name, label, or Kubernetes pod information as
appropriate, and build your rule set accordingly.
2. Edit the Agent Configuration
For example:
use_container_filter: true
container_filter:
- include:
container.name: my-app
- include:
container.label.com.sysdig.report: true
- exclude:
kubernetes.namespace.name: kube-system
container.image: "gcr.io*"
- include:
all
The above example shows a container_filter with 3 include rules and 1
exclude rule.
If the container name is “my-app” it will be included.
Likewise, if the container has a label with the key
“com.sysdig.report” and with the value “true”.
If neither of those rules is true, and the container is part of a
Kubernetes hierarchy within the “kube-system” namespace and the
container image starts with “gcr.io”, it will be excluded.
The last rule includes all, so any containers not matching an
earlier rule will be monitored and metrics for them will be sent to
the backend.
Use Smart Container Reporting
As of Sysdig agent version
0.91, you can add another
parameter to the config file: smart_container_reporting = true
This enables several new prioritization checks:
The sort is modified with the following rules in priority order:
User-specified containers come before others
Containers reported previously should be reported before those which
have never been reported
Containers with higher usage by each of the 4 default stats should
come before those with lower usage
Enable Smart Container Reporting and sysdig_aggregated
Set up any simple container filtering rules you need, following
either Option 1 or Option 2, above.
Edit the agent configuration:
smart_container_reporting: true
This turns on both smart_container_reporting and
sysdig_aggregated. The changes will be visible in the Sysdig
Monitor UI.
See also Sysdig_aggregated Container
Metrics..
Logging
When the log level is set to DEBUG, the following messages may be found
in the logs:
| message | meaning |
|---|
| container <id>, no filter configured | container filtering is not enabled |
| container <id>, include in report | container is included |
| container <id>, exclude in report | container is excluded |
| Not reporting thread <thread-id> in container <id> | Process thread is excluded |
See also: Optional: Change the Agent Log
Level.
1.2.4.4.1 -
Sysdig Aggregated Container Metrics
Sysdig_aggregated containers can report on the following metrics:
tcounters
other
time_ns
time_percentage
count
io_file
time_ns_in
time_ns_out
time_ns_other
time_percentage_in
time_percentage_out
time_percentage_other
count_in
count_out
count_other
bytes_in
bytes_out
bytes_other
io_net
time_ns_in
time_ns_out
time_ns_other
time_percentage_in
time_percentage_out
time_percentage_other
count_in
count_out
count_other
bytes_in
bytes_out
bytes_other
processing
time_ns
time_percentage
count
reqcounters
other
time_ns
time_percentage
count
io_file
time_ns_in
time_ns_out
time_ns_other
time_percentage_in
time_percentage_out
time_percentage_other
count_in
count_out
count_other
bytes_in
bytes_out
bytes_other
io_net
time_ns_in
time_ns_out
time_ns_other
time_percentage_in
time_percentage_out
time_percentage_other
count_in
count_out
count_other
bytes_in
bytes_out
bytes_other
processing
time_ns
time_percentage
count
max_transaction_counters
time_ns_in
time_ns_out
count_in
count_out
resource_counters
syscall_errors
count
count_file
count_file_opened
count_net
protos
http
server_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
client_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
mysql
server_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
client_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
postgres
server_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
client_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
mongodb
server_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
client_totals
ncalls
time_tot
time_max
bytes_in
bytes_out
nerrors
names
transaction_counters
time_ns_in
time_ns_out
count_in
count_out
1.2.4.5 -
Include/Exclude Processes
In addition to filtering data by container, it is also possible to
filter independently by process. Broadly speaking, this refinement helps
ensure that relevant data is reported while noise is reduced. More
specifically, use cases for process filtering may include:
Wanting to alert reliably whenever a given process goes down. The
total number of processes can exceed the reporting limit; when that
happens, some processes are not reported. In this case, an
unreported process could be misinterpreted as being “down.” Specify
a filter for 30-40 processes to guarantee that they will always be
reported.
Wanting to limit the number of noisy but inessential processes being
reported, for example: sed, awk, grep, and similar tools that may be
used infrequently.
Wanting to prioritize workload-specific processes, perhaps from
integrated applications such as NGINX, Supervisord or PHP-FPM.
Note that you can report on processes and containers independently;
the including/excluding of one does not affect the including/excluding
of the other.
Prerequisites_Processes
This feature requires the following Sysdig component versions:
Understand Process Filtering Behavior
By default, processes are reported according to internal criteria such
as resource usage (CPU/memory/file and net IO) and container count.
If you choose to enable process filtering, processes in the include list
will be given preference over other internal criteria.
Processes are filtered based on a standard priority filter description
already used in Sysdig yaml files. It is comprised of -include and
-exclude statements which are matched in order, with evaluation ceasing
with the first matched statement. Statements are considered matched if
EACH of the conditions in the statement is met.
Use Process Filtering
Edit dragent.yaml per the following patterns to implement the filtering
you need.
Process Condition Parameters and Rules
The process: condition parameters and rules are described below.
| Name | Value | Description |
|---|
app_checks_always_send: | true/false | Legacy config that causes the agent to emit any process with app check. With process filtering, this translates to an extra “include” clause at the head of the process filter which matches a process with any app check, thereby overriding any exclusions. Still subject to limit. |
flush_filter: | | Definition of process filter to be used if flush_filter_enabled == true. Defaults to -include all |
flush_filter_enabled: | true/false | Defaults to false (default process reporting behavior). Set to true to use the rest of the process filtering options. |
limit: | N (chosen number) | Defines the approximate limit of processes to emit to the backend, within 10 processes or so. Default is 250 processes. |
top_n_per_container: | N (chosen number) | Defines how many of the top processes per resource category per emitted container to report after included processes. Still subject to limit. Defaults to 1. |
top_n_per_host: | N (chosen number) | Defines how many of the top processes per resource category per host are reported before included processes. Still subject to limit. Defaults to 1. |
The process: Condition Parameters
Rules
container.image: my_container_image Validates whether the
container image associated with the process is a wild card match of
the provided image name
container.name: my_container_name Validates whether the container
name associated with the process is a wild card match of the
provided image name
container.label.XYZ: value Validates whether the label XYZ of the
container associated with the process is a wildcard match of the
provided value
process.name: my_process_name Validates whether the name of the
process is a wild card match of the provided value
process.cmdline: value Checks whether the executable name of a
process contains the specified value, or any argument to the process
is a wildcard match of the provided value
appcheck.match: value Checks whether the process has any appcheck
which is a wildcard match of the given value
all Matches all processes, but does not whitelist them, nor does
it blacklist them. If no filter is provided, the default
is -include all. However, if a filter is provided and no match is
made otherwise, then all unmatched processes will be blacklisted. In
most cases, the definition of a process filter should end
with -include: all.
Examples
Block All Processes from a Container
Block all processes from a given container. No processes
from some_container_name will be reported.
process:
flush_filter_enabled: true
flush_filter:
- exclude:
container.name: some_container_name
- include:
allprocess: flush_filter: - exclude: container.name: some_container_name - include: all
Prioritize Processes from a Container
Send all processes from a given container at high priority.
process:
flush_filter_enabled: true
flush_filter:
- include:
container.name: some_container_name
- include:
all
Prioritize “java” Processes
Send all processes that contain ‘java" in the name at high priority.
process:
flush_filter_enabled: true
flush_filter:
- include:
process.name: java
- include:
all
Prioritize “java” Processes from a Particular Container
Send processes containing “java” from a given container at high
priority.
process:
flush_filter_enabled: true
flush_filter:
- include:
container.name: some_container_name
process.name: java
- include:
all
Prioritize “java” Processes not in a Particular Container
Send all processes that contain “java” in the name that are not in
container some_container_nane.
process:
flush_filter_enabled: true
flush_filter:
- exclude:
container.name: some_container_name
- include:
process.name: java
- include:
all
Prioritize “java” Processes even from an Excluded Container
Send all processes containing “java” in the name. If a process does not
contain “java” in the name and if the container within which the process
runs is named some_container_name, then exclude it.
Note that each include/exclude rule is handled sequentially and
hierarchically so that even if the container is excluded, it can still
report “java” processes.
flush_filter:
- flush_filter_enabled: true
- include:
process.name: java
- exclude:
container.name: some_container_name
- include:
all
Prioritize “java” Processes and “sql” Processes from Different Containers
Send Java processes from one container and SQL processes from another at
high priority.
process:
flush_filter:
- flush_filter_enabled: true
- include:
container.name: java_container_name
process.name: java
- include
container.name: sql_container_name
process.name: sql
- include
all
Report ONLY Processes in a Particular Container
Only send processes running in a container with a given label.
process:
flush_filter:
- flush_filter_enabled: true
- include:
=container.label.report_processes_from_this_container_example_label: true
- exclude:
all
1.2.4.6 -
Collect Metrics from Remote File Systems
Sysdig agent does not automatically discover and collect metrics from
external file systems, such as NFS, by default. To enable collecting
these metrics, add the following entry to the dragent.yaml file:
remotefs.enabled = true
In addition to the remote file systems, the following mount types are
also excluded because they cause high load.
mounts_filter:
- exclude: "*|autofs|*"
- exclude: "*|proc|*"
- exclude: "*|cgroup|*"
- exclude: "*|subfs|*"
- exclude: "*|debugfs|*"
- exclude: "*|devpts|*"
- exclude: "*|fusectl|*"
- exclude: "*|mqueue|*"
- exclude: "*|rpc_pipefs|*"
- exclude: "*|sysfs|*"
- exclude: "*|devfs|*"
- exclude: "*|devtmpfs|*"
- exclude: "*|kernfs|*"
- exclude: "*|ignore|*"
- exclude: "*|rootfs|*"
- exclude: "*|none|*"
- exclude: "*|tmpfs|*"
- exclude: "*|pstore|*"
- exclude: "*|hugetlbfs|*"
- exclude: "*|*|/etc/resolv.conf"
- exclude: "*|*|/etc/hostname"
- exclude: "*|*|/etc/hosts"
- exclude: "*|*|/var/lib/rkt/pods/*"
- exclude: "overlay|*|/opt/stage2/*"
- exclude: "/dev/mapper/cl-root*|*|/opt/stage2/*"
- exclude: "*|*|/dev/termination-log*"
- include: "*|*|/var/lib/docker"
- exclude: "*|*|/var/lib/docker/*"
- exclude: "*|*|/var/lib/kubelet/pods/*"
- exclude: "*|*|/run/secrets"
- exclude: "*|*|/run/containerd/*"
- include: "*|*|*"
To include a mount type:
Open the dragent.yaml file.
Remove the corresponding line from the exclude list in the
mount_filter.
Add the file mount to the include list under mount_filter .
The format is:
# format of a mount filter is:
# ```
# mounts_filter:
# - exclude: "device|filesystem|mount_directory"
# - include: "pattern1|pattern2|pattern3"
For example:
mounts_filter:
- include: "*|autofs|*"mounts_filter:
- include: "overlay|*|/opt/stage2/*"
- include: "/dev/mapper/cl-root*|*|/opt/stage2/*"
Save the configuration changes and restart the agent.
1.2.4.7 -
Disable Captures
Sometimes, security requirements dictate that capture functionality
should NOT be triggered at all (for example, PCI compliance for payment
information).
To disable Captures altogether:
Access using one of the options
listed.
This example accesses dragent.yaml directly. ``
Set the parameter:
sysdig_capture_enabled: false
Restart the agent, using the command: ``
service dragent restart
See Captures for more
information on the feature
1.2.5 -
Reduce Memory Consumption in Agent
Sysdig provides a configuration option called Thin Cointerface to reduce
the memory footprint in the agent. When the agent is installed as a
Kubernetes daemonset, you can optionally enable the Thin Cointerface in
the sysdig-agent configmap.
In a typical Kubernetes cluster, two instances of agent daemonset are
installed to retrieve the data. They are automatically connected to the
Kubernetes API server to retrieve the metadata associated with the
entities running on the cluster and sends the global Kubernetes state to
the Sysdig backend. Sysdig uses this data to generate Kube State
Metrics.
A delegated agent will not have a higher CPU or memory footprint than a
non-delegated agent.
On very large Kubernetes clusters (in the range of 10,000 pods) or
clusters with several Replication Controllers, the agent’s data
ingestion can have a significant memory footprint on itself and on the
Kubernetes API server. Thin Cointerface is provided to reduce this
impact.
Enabling this option changes the way the agent communicates with the API
server and reduces the need to cache data, which in turn reduces the
overall memory usage. Thin Cointerface does this by moving some
processing from the agent’s cointerface process to the dragent process.
This change does not alter the data which is ultimately sent to the
backend nor will it impact any Sysdig feature.
The thin cointerface feature is disabled by default.
To enable:
Add the following in either the sysdig-agent’s configmap or via
the dragent.yaml file:
thin_cointerface_enabled: true
Restart the agent.
1.2.6 -
Enable Kube State Metrics
Updated versions of the Sysdig agent can collect HPA, PVS, and other
kube state metrics with the parameter k8s_extra_resources.
First, you must edit the agent config file, dragent.yaml, as follows:
k8s_extra_resources:
include:
- services
- resourcequotas
- persistentvolumes
- persistentvolumeclaims
- horizontalpodautoscalers
See also: Understanding the Agent Config
Files.
1.2.7 -
Process Kubernetes Events
Use Go to Process Kubernetes Events
Required: Sysdig agent version 92.1 or higher.
As of agent version 9.5.0, go_k8s_user_events:true is the default
setting. Set to false to use the older, C++-based version.
To streamline Sysdig agent processing times and reduce CPU load, you can
use an updated processing engine written in Go.
To do so, edit the following code in dragent.yaml:
go_k8s_user_events: true
Kubernetes Audit Events
The agent listens on /k8s-audit for Kubernetes audit events. Configure
the path using the following configuration option:
security:{k8s_audit_server_path_uris: [path1, path2]}
For more information, see Kubernetes Audit
Logging.
1.2.8 -
Manage Agent Log Levels
Sysdig allows you to configure file log levels for agents globally and
granularly.
1.2.8.1 -
Change Agent Log Level Globally
The Sysdig agent generates log entries in /opt/draios/logs/draios.log.
The agent will rotate the log file when it reaches 10MB in size, keeping
the 10 most recent log files archived with a date-stamp appended to the
filename.
In order of increasing detail, the log levels available are: [ none
| critical| error | warning |notice | info | debug | trace ].
The default level (info) creates an entry for each aggregated
metrics transmission to the backend servers, once per second, in
addition to entries for any warnings and errors.
Setting the value lower than info may prohibit troubleshooting
agent-related issues.
The type and amount of logging can be changed by adding parameters and
log level arguments shown below to the agent’s user settings
configuration file here:
/opt/draios/etc/dragent.yaml
After editing the dragent.yaml file, restart the agent at the shell
with: service dragent restart to affect changes.
Note that dragent.yaml code can be written in both YAML and JSON. The
examples below use YAML.
File Log Level
When troubleshooting agent behavior, increase the logging to debug for
full detail:
log:
file_priority: debug
If you wish to reduce log messages going to the
/opt/draios/logs/draios.log file, add the log: parameter with one of
the following arguments under it and indented two spaces: [ none |
error | warning | info | debug | trace ]
log:
file_priority: error
Container Console Logging
If you are running the containerized agent, you can also reduce
container console output by adding the additional parameter
console_priority:with the same arguments [ none | error | warning
| info | debug | trace ]
log:
console_priority: warning
Note that troubleshooting a host with less than the default ‘info’ level
will be more difficult or not possible. You should revert to ‘info’ when
you are done troubleshooting the agent.
A level of ‘error’ will generate the fewest log entries, a level of
‘trace’ will give the most, ‘info’ is the default if no entry exists.
Example in dragent.yaml
customerid: 831f3-Your-Access-Key-9401
tags: local:sf,acct:eng,svc:websvr
log:
file_priority: warning
console_priority: info
OR
customerid: 831f3-Your-Access-Key-9401
tags: local:sf,acct:eng,svc:websvr
log: { file_priority: debug, console_priority: debug }
Docker run command
If you are using the “ADDITIONAL_CONF” parameter to start a Docker
containerized agent, you would specify this entry in the Docker run
command:
-e ADDITIONAL_CONF=“log: { file_priority: error, console_priority: none }”
-e ADDITIONAL_CONF="log:\n file_priority: error\n console_priority: none"
Kubernetes Infrastructure
When running in a Kubernetes infrastructure (installed using the v1
method, comment in the “ADDITIONAL_CONF” line in the agent
sysdig-daemonset.yaml manifest file, and modify as needed:
- name: ADDITIONAL_CONF #OPTIONAL pass additional parameters to the agent
value: "log:\n file_priority: debug\n console_priority: error"
1.2.8.2 -
Manage File Logging for Agent Components
Sysdig Agent provides the ability to set component-wise log levels that
override the global file logging level controlled by the file_priority
configuration option. The components represent internal software modules
and can be found in /opt/draios/logs/draios.log.
By controlling logging at the fine-grained component level, you can
avoid excessive logging from certain components in draios.log or
enable extra logging from specific components for troubleshooting.
To set component-level logging:
Determine the agent component you want to set the log level:
To do so,
Open the /opt/draios/logs/draios.log file.
Copy the component name.
The format of the log entry is:
<timestamp>, <<pid>.<tid>>, <log level>, <component>[pid]:[line]: <message>
For example, the given snippet from a sample log file shows log
messages from sdjagent, mountedfs_reader,
watchdog_runnable, protobuf_file_emitter,
connection_manager, and dragent.
2020-09-07 17:56:01.173, 27979.28018, Information, sdjagent[27980]: Java classpath: /opt/draios/share/sdjagent.jar
2020-09-07 17:56:01.173, 27979.28018, Information, mountedfs_reader: Starting mounted_fs_reader with pid 27984
2020-09-07 17:56:01.174, 27979.28019, Information, watchdog_runnable:105: connection_manager starting
2020-09-07 17:56:01.174, 27979.28019, Information, protobuf_file_emitter:64: Will save protobufs for all message types
2020-09-07 17:56:01.174, 27979.28019, Information, connection_manager:282: Initiating connection to collector
2020-09-07 17:56:01.175, 27979.27979, Information, dragent:1243: Created Sysdig inspector
Open /opt/draios/etc/dragent.yaml.
Edit the dragent.yaml file and add the desired components:
In this example, you are setting the global level to notice and
component log levels for sdjagent, watchdog_runnable,
protobuf_file_emitter, and connection_manager.
log:
file_priority: notice
file_priority_by_component:
- "connection_manager: debug"
- "protobuf_file_emitter: notice"
- "watchdog_runnable: warning"
- "sdjagent: error"
The log levels specified for components override global settings.
Restart the agent.
For example, if you have installed the agent as a service, then run:
$ service dragent restart
1.2.8.3 -
Manage Console Logging for Agent Components
Sysdig Agent provides the ability to set component-wise log levels that
override the global console logging level controlled by the
console_priority configuration option. The components represent
internal software modules and can be found in
/opt/draios/logs/draios.log.
By controlling logging at the fine-grained component level, you can
avoid excessive logging from certain components in draios.log or
enable extra logging from specific components for troubleshooting.
To set component-level logging:
Determine the agent component you want to set the log level:
To do so,
Look at the console output.
If you’re using an orchestrator like Kubernetes, the log viewer
facility, such as the kubectl log command, shows the console
log output.
Copy the component name.
The format of the log entry is:
<timestamp>, <<pid>.<tid>>, <log level>, <component>[pid]:[line]: <message>
For example, the given snippet from a sample log file shows log
messages from sdjagent, mountedfs_reader,
watchdog_runnable, protobuf_file_emitter,
connection_manager, and dragent.
2020-09-07 17:56:01.173, 27979.28018, Information, sdjagent[27980]: Java classpath: /opt/draios/share/sdjagent.jar
2020-09-07 17:56:01.173, 27979.28018, Information, mountedfs_reader: Starting mounted_fs_reader with pid 27984
2020-09-07 17:56:01.174, 27979.28019, Information, watchdog_runnable:105: connection_manager starting
2020-09-07 17:56:01.174, 27979.28019, Information, protobuf_file_emitter:64: Will save protobufs for all message types
2020-09-07 17:56:01.174, 27979.28019, Information, connection_manager:282: Initiating connection to collector
2020-09-07 17:56:01.175, 27979.27979, Information, dragent:1243: Created Sysdig inspector
Open /opt/draios/etc/dragent.yaml.
Edit the dragent.yaml file and add the desired components:
In this example, you are setting the global level to notice and
component log levels for sdjagent, watchdog_runnable,
protobuf_file_emitter, and connection_manager.
log:
console_priority: notice
console_priority_by_component:
- "connection_manager: debug"
- "protobuf_file_emitter: notice"
- "watchdog_runnable: warning"
- "sdjagent: error"
The log levels specified for components override global settings.
Restart the agent.
For example, if you have installed the agent as a service, then run:
$ service dragent restart
1.2.9 -
Agent Auto-Config
Introduction
If you want to maintain centralized control over the configuration of
your Sysdig agents, one of the following approaches is typically ideal:
Via an orchestration system, such as using
Kubernetes or
Mesos/Marathon.
Using a configuration management system, such as
Chef or
Ansible.
However, if these approaches are not viable for your environment, or to
further augment your Agent configurations via central control, Sysdig
Monitor provides an Auto-Config option for agents. The feature allows
you to upload fragments of YAML configuration to Sysdig Monitor that
will be automatically pushed and applied to some/all of your Agents
based on your requirements.
Enable Agent Auto-Config
Independent of the Auto-Config feature, typical Agent configuration
lives in /opt/draios/etc and is derived from a combination of base
config in the dragent.default.yaml file and any overrides that may
be present in dragent.yaml. See also Understanding the Agent Config
Files.
Agent Auto-Config adds a middle layer of possible overrides in an
additional file dragent.auto.yaml.When present, the the order of
config application from highest precedence to lowest now becomes:
dragent.yaml
dragent.auto.yaml
dragent.default.yaml
While all Agents are by default prepared to receive and make use of
Auto-Config data, the file dragent.auto.yaml will not be present on
an Agent until you’ve pushed central Auto-Config data to be applied to
that Agent.
Auto-Config settings are performed via Sysdig Monitor’s REST API.
Simplified examples are available that use the Python client
library to
get
or
set
current Auto-Config settings. Detailed examples using the REST API are
shown below.
The REST endpoint for Auto-Config is /api/agents/config. Use the
GET method to review the current configuration. The following
example shows the initial empty settings that result in no
dragent.auto.yaml files being present on your Agents.
curl -X GET \
--header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
https://app.sysdigcloud.com/api/agents/config
Output:
{
"files": []
}
Use the PUT method to centrally push YAML that will be distributed
and applied to your Agents as dragent.auto.yaml files. The
content parameter must contain syntactically-correct YAML. The
filter option is used to specify if the config should be sent to one
agent or all of them, such as in this example to globally enable Debug
logging on all Agents:
curl -X PUT \
--header "Content-Type: application/json" \
--header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
https://app.sysdigcloud.com/api/agents/config -d '
{
"files": [
{
"filter": "*",
"content": "log:\n console_priority: debug"
}
]
}'
Alternatively, the filter can specify a hardware MAC address for a
single Agent that should receive a certain YAML config. All MAC-specific
configs should appear at the top of the JSON object and are not
additive to any global Auto-Config specified with “filter”: “*" at
the bottom. For example, when the following config is applied, the one
Agent that has the MySQL
app check configured would not have Debug logging enabled, but all
others would.
curl -X PUT \
--header "Content-Type: application/json" \
--header "Authorization: Bearer xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
https://app.sysdigcloud.com/api/agents/config -d '
{
"files": [
{
"filter": "host.mac = \"08:00:27:de:5b:b9\"",
"content": "app_checks:\n - name: mysql\n pattern:\n comm: mysqld\n conf:\n server: 127.0.0.1\n user: sysdig-cloud\n pass: sysdig-cloud-password"
},
{
"filter": "*",
"content": "log:\n console_priority: debug"
}
]
}'
To update the active central Auto-Config settings, simply PUT a
complete replacement JSON object.
All connected Agents will receive centrally-pushed Auto-Config updates
that apply to them based on the filter settings. Any Agent whose
Auto-Config is enabled/disabled/changed based on the centrally-pushed
settings will immediately restart, putting the new configuration into
effect. Any central Auto-Config settings that would result in a
particular Agent’s Auto-Config remaining the same will not trigger a
restart.
Disable Agent Auto-Config
To clear all Agent Auto-Configs, use the PUTmethod to upload the
original blank config setting of '{ “files”: [] }'.
It is also possible to override active Auto-Config on an individual
Agent. To do so, follow these steps for your Agent:
Add the following config directly to the dragent.yaml file:
auto_config: false.
Delete the file /opt/draios/etc/dragent.auto.yaml.
Restart the Agent.
For such an Agent to opt-in to Auto-Config again, remove auto_config:
false from the dragent.yaml and restart the Agent.
Restrictions
To prevent the possibility of pushing Auto-Config that would damage an
Agent’s ability to connect, the following keys will not be accepted in
the centrally-pushed YAML.
auto_config
customerid
collector
collector_port
ssl
ssl_verify_certificate
ca_certificate
compression
1.2.10 -
Tuning Sysdig Agent
The resource requirements for the Sysdig agent are subjective to the
size and load of the host. Increased activity equates to higher resource
requirements. At a minimum, the agent requires 2% of the total CPU and
512 MiB of memory.
You might see 5 to 20 KiB/s of bandwidth consumed. Different variables
can increase the throughput required. For example:
When a Sysdig Capture is being collected, you can expect to see a spike
in the bandwidth while the capture file is being ingested.
Sysdig does not recommend placing bandwidth shaping or caps on the agent
to ensure that data is sent to the Sysdig Collection service.
In general, in larger clusters, the agent requires more memory, and in
servers with a high number of cores, the agent requires more CPU cores
to monitor all the system calls. You will use CPU cores on the host and
the Kubernetes nodes visible to the agent as proxies for the rate of
events processed in the agent.
Similarly, there are different factors that are at play, and considering
all the factors, we recommend the following:
Small: CPU core count <= 8. Kubernetes nodes <=10
Medium: 8 < CPU core count <= 32. 10 < Kubernetes nodes
<= 100
Large: CPU core count > 32. Kubernetes nodes > 100
While you can expect the behavior with the given numbers to be better
than simply using the default values, Sysdig cannot guarantee that
resource allocation will be correct for all the cases.
| Cluster Size | Small | Medium | Large |
|---|
| Kubernetes CPU Request | 1 | 3 | 5 |
| Kubernetes CPU Limit | 1 | 3 | 5 |
| Kubernetes Memory Request | 1024 MB | 3072 MB | 6144 MB |
| Kubernetes Memory Limit | 1024 MB | 3072 MB | 6144 MB |
| Dragent Memory Watchdog | 512 MB | 1024 MB | 2048 MB |
| Cointerface Memory Watchdog | 512 MB | 2048 MB | 4096 MB |
Note that the agent has its own memory watchdog to prevent runaway
memory consumption on the host in case of memory leaks. The default
values of the watchdog are specified in the following agent
configuration file.
watchdog:
max_memory_usage_mb: 1024
max_memory_usage_subprocesses:
sdchecks: 128
sdjagent: 256
mountedfs_reader: 32
statsite_forwarder: 32
cointerface: 512
max_memory_usage_mb corresponds to the dragent process in the agent.
All the values are given in MiB.
For example, to match the agent watchdog settings with large values, the
agent configuration would be:
watchdog:
max_memory_usage_mb: 2048
max_memory_usage_subprocesses:
sdchecks: 128
sdjagent: 256
mountedfs_reader: 32
statsite_forwarder: 32
cointerface: 4096
1.2.11 -
Using the Agent Console
Sysdig provides an Agent Console to interact with the Sysdig agent. This
is a troubleshooting tool to help you view configuration files and
investigate agent configuration problems quickly.
Access Agent Console
From Explore click the Groupings drop-down.
Select Hosts & Container or Nodes.
Click the desired host to investigate the corresponding agent
configuration.
Click Options (three dots) on the right upper corner of the
Explore tab.
Click Agent Console.
Agent Console Commands
View Help
The ? command displays the commands to manage Prometheus configuration
and targets monitored by the Sysdig agent.
$ prometheus ?
$ prometheus config ?
$ prometheus config show ?
Command Syntax
The syntax of the Agent Console commands is as follows:
directory command
directory sub-directory command
directory sub-directory sub-sub-directory command
View Version
Run the following to find the version of the agent running in your
environment:
$ version
An example output:
12.0.0
Troubleshoot Prometheus Metrics Collection
These commands help troubleshoot Prometheus targets configured in your
environment.
For example, the following commands display and scrape the Prometheus
endpoints respectively.
$ prometheus target show
$ prometheus target scrape
Sub-Directory Commands
The Promscrape CLI consists of the following sections.
config: Manages Sysdig agent-specific Prometheus configuration.
metadata: Manages metadata associated with the Prometheus targets
monitored by the Sysdig agent.
stats: Helps view the global- and job-specific Prometheus
statistics.
target: Manages Prometheus endpoints monitored by Sysdig agent.
Prometheus Commands
Show
The show command displays the information about the subsection. For
example, the following example displays the configuration of the
Prometheus server.
$ prometheus config show
5 Configuration Value
6 Enabled True
7 Target discovery Prometheus service discovery
8 Scraper Promscrape v2
9 Ingest raw True
10 Ingest calculated True
11 Metric limit 2000
Scrape
The scrape command scrapes a Prometheus target and displays the
information. The syntax is:
$ prometheus target scrape -url <URL>
For example:
$ prometheus target scrape -url http://99.99.99.3:10055/metrics
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
7 # TYPE go_gc_duration_seconds summary
8 go_gc_duration_seconds{quantile="0"} 7.5018e-05
9 go_gc_duration_seconds{quantile="0.25"} 0.000118155
10 go_gc_duration_seconds{quantile="0.5"} 0.000141586
11 go_gc_duration_seconds{quantile="0.75"} 0.000171626
12 go_gc_duration_seconds{quantile="1"} 0.00945638
13 go_gc_duration_seconds_sum 0.114420898
14 go_gc_duration_seconds_count 607
View Agent Configuration
The Agent configuration commands have a different syntax.
Run the following to view the configuration of the agent running in your
environment:
$ configuration show-dragent-yaml
$ configuration show-configmap-yaml
$ configuration show-default-yaml
$ configuration show-backend-yaml
The output displays the configuration file. Sensitive data, such as the
credentials, are obfuscated.
customerid: "********"
watchdog:
max_memory_usage_mb: 2048
Security Considerations
User-sensitive configuration is obfuscated and not visible through
the CLI.
All the information is read-only. You cannot currently change any
configuration by using the Agent console.
Runs completely inside the agent. It does not use bash or any other
Linux terminals to prevent the risk of command injection.
Runs only via a TLS connection with the Sysdig backend.
Disable Agent Console
This is currently turned on by default. To turn off Agent Console for a
particular team:
Navigate to Settings > Teams.
Select the team that you want to disable Agent Console for.
From Additional Permissions, Deselect Agent Console.
Click Save.
To turn it off in your environment, edit the following in the
dragent.yaml file:
command_line:
enabled: false
1.3 -
Agent Upgrade
The steps to upgrade an agent differ depending on whether the agent was
originally installed as a
Docker container or as a service.
This section describes how to check the current version of the installed
agents, and then how to upgrade them.
It is highly recommended to follow upgrade best practices:
Keep upgrades current
Upgrade progressively without skipping versions, and
Test upgrades in a non-mission-critical or staging environment
before rolling in to production.
Agent Version Check
Container/Docker Installation
If the agent is installed as container, run a command similar to:
docker exec sysdig-agent /opt/draios/bin/dragent --version
Service Installation
If the agent is installed as a service, run:
/opt/draios/bin/dragent --version
The agent version can also be found in the agent log file:
/opt/draios/logs/draios.log.
Look for the “Agent starting” message, which is logged whenever the
agent restarts.
Update Agent
Update the containerized agent version as you normally update any
container; the basic steps are below.
Use the full run command as shown in the Settings > Agent
Installation tab of your
account. CoreOS users can use the fleet script also shown on the Agent
Installation tab.
Containerized Agent
To see which agent versions are available see this
link.
Docker
Basic Steps: stop the agent, remove it, pull the new agent, and install
it.
The exact Docker command can also be found in the Sysdig Settings >
Agent Installation menu.
docker stop sysdig-agent
docker rm sysdig-agent
docker pull sysdig/agent
docker run . . .
Kubernetes
Check whether .yaml files must be updated:
Updating the agent image does not overwrite the daemonset.yaml and
sysdig-agent-configmap.yaml on your local system. Check the Sysdig
Agent Release Notes to see
if you need to download the latest .yaml files from
GitHub.
Perform update:
kubectl set image ds/sysdig-agent sysdig-agent=sysdig/agent:<TAG>
Watch update status:
kubectl rollout status ds/sysdig-agent
Service Agent
For service (non-containerized) agent installations, updates are
installed as part of the normal system upgrade available with
`apt-get` or `yum`.
Debian, Ubuntu
apt-get update
apt-get -y install draios-agent
CentOS, RHEL, Fedora, Amazon AMI, Amazon Linux 2
yum clean expire-cache
yum -y install draios-agent
1.4 -
Uninstall the Agent
This section describes uninstalling the Sysdig agent when it was
installed as a service.
If the agent was installed as a container, remove it using standard
container commands.
If the agent was installed by an orchestrator, such as Kubernetes,
remove it by using the standard orchestrator commands.
Debian/Ubuntu Distributions
To uninstall the agent from Debian Linux distributions, including
Ubuntu:
As the sudo user, run the following command in a terminal on each
host:
sudo apt-get remove draios-agent
Fedora/CentOS/RHEL/Amazon AMI/ Amazon Linux 2 Distributions
To uninstall the agent from Fedora Linux distributions, including
CentOS, Red Hat Enterprise Linux, as well as Amazon AMI and Amazon Linux
2:
As the sudo user, run the following command in a terminal on each
host:
sudo yum erase draios-agent
2 -
Serverless Agents
Overview
The serverless environment: As cloud platforms have evolved, both
the convenience and the abstraction levels have increased simultaneously
and new agent models are required.
For example, with Amazon’s ECS and EKS, users remain in charge of
managing the underlying virtual host machines. In environments like
Fargate,
however, the hosts are implicitly allocated by the cloud provider and
users simply run their containers without allocating, configuring, or
having any knowledge of the underlying compute infrastructure.
While this “container as a service” model is convenient, it can
introduce risk, as many users leave the containers unattended and don’t
monitor for security events inside them that can exfiltrate secrets,
compromise business data, and increase their AWS/cloud provider costs.
In addition, it is not possible to install a standard agent in an
environment where you do not have access to a host.
For these reasons, Sysdig has introduced a new “serverless agent” that
can be deployed in such container-based cloud environments.
2.1 -
AWS Fargate Serverless Agents
Check the Overview for an
explanation of when and why to use serverless agents in
“container-as-a-service” cloud environments.
Architecture
The Sysdig serverless agent provides runtime detection through policy
enforcement with Falco. At this time, the serverless agent is available
for AWS Fargate on ECS. It is comprised of an orchestrator agent and
(potentially multiple) workload agents.
The Sysdig serverless orchestrator agent is a collection point
installed on each VPC to collect data from the serverless workload
agent(s) and to forward them to the Sysdig backend. It also syncs
the Falco runtime policies and rules to the workload agent(s) from
the Sysdig backend.
The Sysdig serverless workload agent is installed in each task
and requires network access to communicate with the orchestrator
agent.
Installation: For Fargate ECS
For Fargate ECS, the two components of the serverless agent are
installed separately.
For the orchestrator agent, Sysdig provides a
yaml
to use as a CloudFormation Template which you can deploy through the
AWS Console. You need one orchestrator deployment per VPC in your
environment which your organization wants to secure.
For the workload agents, you need one workload agent per Fargate
task definition. (If you have ten services and ten task definitions,
each needs to be instrumented.)
We assume your services use an existing CFT and you will install the
workload agent using an automated process which will instrument all
the task definitions in your CFT.
Prerequisites
On the AWS side:
AWS CLI configured and permissions to create and use an S3 bucket.
Permissions to upload images to repos, deploy CloudFormation
Templates (CFTs), and create task definitions for Fargate
The Fargate tasks you want to instrument with the Sysdig serverless
agent
Two subnets that can connect with the internet. (Your service on
Fargate must reach the orchestrator agent, and the orchestrator
agent must reach the internet to communicate with Sysdig’s back
end.)
A NAT gateway, or, if AWS Internet Gateway is used, you will need to
uncomment the line AssignPublicIp: ENABLED in the
orchestrator.yaml
after installing the orchestrator agent.
On the Sysdig side:
Install the Orchestrator Agent
Obtain the Sysdig Orchestrator Agent
yaml
to be used as the CloudFormation Template source.
For more information on CloudFormation (CFN), see AWS
documentation.
Deploy the orchestrator agent for each desired VPC, using
CloudFormation.
The steps below are an outline of the important Sysdig-related
parts.
Log in to the AWS Console. Select CloudFormation and
Create Stack with new resources and specify the
orchestrator-agent.yaml as the Template source.
Specify the stack details to deploy the orchestrator agent
on the same VPC where your service is running.
Stack name: self-defined
Sysdig Settings
Sysdig Access Key: Use the agent
key
for your Sysdig platform.
Sysdig Collector Host: collector.sysdigcloud.com
(default);
region-dependent
in Sysdig SaaS; custom in Sysdig on-prem.
Sysdig Collector Port: 6443 (default), or could be
custom for on-prem installations.
Network Settings
Advanced Settings
Sysdig Agent Tags: Enter a comma-separated list of tags
(eg. role:webserver,location:europe)Note: tags will also
be created automatically from your infrastructure’s
metadata, including AWS, Docker, etc.
Sysdig Orchestrator Agent Image:
quay-io/orchestrator-agent:latest (default)
Check Collector SSL Certificate: Default: true.
False means no validation will be done on the SSL
certificate received from the collector, used for dev
purposes only.
Click Next, complete the stack creation, and wait for the
deployment to complete (usually less than 10 minutes.)
In Output, take note of the
OrchestratorHost and OrchestratorPort values.
If AWS Internet Gateway is used (as opposed to a NAT Gateway), uncomment
the line AssignPublicIp: ENABLED in the orchestrator.yaml
.
Install the Workload Agents
Automated Process
Prerequisite: Have the orchestrator agent deployed in the
appropriate VPC and have the Orchestrator Host and Port information
handy.
Download the appropriate installer for your OS.
These set up Kilt, an open-source library mechanism for injection
into Fargate containers.
Create a macro for the serverless worker agents, using the
installer. Any service tagged with this macro will have the
serverless worker agent(s) added and Fargate data will be collected.
Log in to AWS CLI.
Create a CFN macro that applies instrumentation. You will
need the outputs from previous task. Example:
./installer-linux-amd64 cfn-macro install -r us-east-1 MySysdigMacro $OrchestratorHost $OrchestratorPort
Add the macro you created to the CFT that you use for your own
service at the root.
Use: Transform: MySysdigMacro.
All new deployments of that template will be instrumented.
Defining Entrypoint and Command in CFT:
In this step, the macro will go over the original CloudFormation
Template looking for ContainerDefinitions to instrument. This
includes replacing the original entry point for the Sysdig entry
point, so ideally the CFT should explicitly describe Entrypoint
and Command. Otherwise, the macro will try to pull the image to
retrieve a default Entrypoint and Command , which only works if
the image is publicly available. Otherwise the pull will fail and
the instrumentation will not be completed.
Complete!
When instrumentation is complete, Fargate events should be visible
in the Sysdig Secure Events feed.
Upgrade: For Fargate ECS
To upgrade the serverless agents, you install a second version of both
components then kill all the running tasks and restart with the new
version. You then delete and clean up the old CloudFormation and Kilt
residuals.
Obtain the Sysdig Orchestrator Agent
yaml
to be used as the CloudFormation Template source.
At this time, the yaml metadata does not specify the agent version,
but this link always downloads the latest file.
Perform the steps to Install the Orchestrator
Agent.
Note that in step 2.4, the OrchestratorHost and OrchestratorPort
values will be unique.
Perform the steps to Install the Workload
Agents.
In step 4, assign a unique name to your macro
(Transform: MyV2SysdigMacro).
You now have two versions of the serverless agent components. When
you are ready to switch from the earlier version, proceed with the
next step.
Stop all running tasks and use CloudFormataion to delete the
earlier stack. Redeploy the new stack with the updated CFT.
(Transform: MyV2SysdigMacro)
Clean up macros: Delete the previous kilt macro using the
installer:
./installer-linux-amd64 cfn-macro delete MySysdigMacro
3 -
Prometheus Remote Write
You can collect Prometheus metrics from environments where the Sysdig
agent is not available. Sysdig uses the remote_write capabilities to
help you do so.
In Sysdig terminology, the remote endpoints that can read Prometheus
metrics are known as Prometheus Remote Write. Prometheus Remote Write
does not require the Sysdig agent to be installed in the Prometheus
environment. This facility expands your monitoring capabilities beyond
Kubernetes and regular Linux kernels to environments where the Sysdig
agent cannot be installed.
Prometheus Remote Write can collect metrics from:
Use Sysdig agent in environments where an agent can be installed.
However, use the Prometheus Remote Write to collect metrics from
ephemeral or batch jobs that may not exist long enough to be scraped by
the agent.
With the Prometheus Remote Write, you can either monitor metrics through
the Monitor UI or you can use PromQL to query the data by using the
standard Prometheus query language.
Enable Prometheus Remote Write
Contact your Sysdig representative to enable Prometheus Remote Write in
your environment.
Endpoints and Regions
Prometheus Remote Write resides in the ingest endpoints for each region
under /prometheus/remote/write. The public Prometheus Remote Write
endpoints for each region are listed below:
You need to configure remote_write in your Prometheus server in order
to send metrics to Sysdig Prometheus Remote Write.
The configuration of your Prometheus server depends on your
installation. In general, you configure the remote_write section in
the prometheus.yml configuration file:
global:
external_labels:
[ <labelname>: <labelvalue> ... ]
remote_write:
- url: "https://<region-url>/prometheus/remote/write"
bearer_token: "<your API Token>"
tls_config:
insecure_skip_verify: true
The communication between your Prometheus server and Prometheus Remote
Write should use the authorization header with the Sysdig API key (not
the agent access key) as the bearer token.
Alternatively, you can also use the bearer_token_file entry to refer
to a file instead of directly including the API token.
Prometheus does not reveal the bearer_token value on the UI.
Customize Metrics
To enable customization, Sysdig provides additional options to control
which metrics you want to send to Prometheus Remote Write.
Manage Metrics
Prometheus Remote Write by default sends all the metrics to Sysdig
Prometheus Remote Write. These metrics are sent with a
remote_write: true label appended to it so you can easily identify
them.
Label Metrics
You can specify custom label-value pairs and send them with each time
series to the Prometheus Remote Write. Use the external_labels block
in the global section in the Prometheus configuration file. This is
similar to setting an agent tag and allowing you to filter or scope the
metrics in Sysdig Monitor.
For example, if you have two Prometheus servers configured to remote
write to Prometheus Remote Write, you can include an external label to
identify them easily:
Prometheus 1
global:
external_labels:
provider: prometheus1
remote_write:
- url: ...
Prometheus 2
global:
external_labels:
provider: prometheus2
remote_write:
- url: ...
Filter Metrics
With the general configuration, all the metrics are by default remotely
written to Prometheus Remote Write. You can control the metrics that you
collect and send to Sysdig. To select which series and labels to
collect, drop, or replace, and reduce the number of active series that
are sent to Sysdig, you can set up relabel configurations by using
the write_relabel_configs block within your remote_write section.
For example, you can send metrics from one specific namespace called
myapp-ns as give below:
remote_write:
- url: https://<region-url>/prometheus/remote/write
bearer_token_file: /etc/secrets/sysdig-api-token
write_relabel_configs:
- source_labels: [__meta_kubernetes_namespace]
regex: ‘myapp-ns’
action: keep
Rate Limit
The default limits are configured set for each user and can be raised as
required. The defaults are good for most users, and the limits help
protect against any misconfigurations.
Parallel writes | 100 concurrent requests. This doesn’t necessarily mean 100 Prometheus servers because the time at which the data is written is distributed. |
Data points per minute | One million. The number of data points sent depends on how often metrics are submitted to Sysdig. A scrape interval of 10s will submit more DPM than an interval of 60s. |
Number of writes per minute | 10,000 |
Limitations
Metrics sent to Prometheus Remote Write can be accessed in
Explore, but they are not compatible with the scope tree.
Prometheus Remote Write metrics won’t work with Team Scope.
Label enrichment is unavailable at this point. Only labels collected
at the source can be used. You should add additional labels to
perform further scoping or pivoting in Sysdig.
Currently, Sysdig Dashboards do not support mixing metrics with
different sampling. For example, 10 seconds and 1-minute samples.
For optimal experience, configure the scrape interval to be 10s to
combine remote write metrics with agent metrics.
Remote write functionality does not support sending metric metadata.
Upstream Prometheus recently added support for propagation of
metadata (metric type, unit, description, info) and this
functionality will be supported in a future update to Prometheus
Remote Write.
Suffix the metric name with _total, _sum , or _count to
store them as a counter. Otherwise, the metrics will be handled
as a gauge.
Units can be set in Dashboards manually.
Learn More
4 -
Sysdig Secure for cloud
Sysdig Secure for cloud is the software that connects Sysdig Secure
features to your cloud environments to provide unified threat detection,
compliance, forensics, and analysis.
Because modern cloud applications are no longer just virtualized compute
resources, but a superset of cloud services on which businesses depend,
controlling the security of your cloud accounts is essential. Errors can
expose an organization to risks that could bring resources down,
infiltrate workloads, exfiltrate secrets, create unseen assets, or
otherwise compromise the business or reputation. As the number of cloud
services and configurations available grows exponentially, using a cloud
security platform protects against having an unseen misconfiguration
turn into a serious security issue.
Multiple Installation Options
At this time, Sysdig Secure for cloud is available on AWS using either:
An AWS CloudFormation Template (CFT): This option provides all
four cloud features: threat detection, CSPM benchmarks, and image
and container registry scanning), or
Terraform files: for two types of AWS
account
Organizational/management account: This is the account that
you use to create the organization in AWS. Organizational
accounts create and contain member accounts.
At this time, only threat detection is available for
organizational/management accounts
Single/member account: Each of these is a stand-alone
account which can be a member of only one organization at a
time.
At this time, threat detection, CSPM benchmarks, and image and
container registry scanning are all available for single
accounts.
About Sysdig Secure for cloud on AWS
On AWS, Sysdig Secure for cloud offers a range of features which can
deployed together or separately from a single CloudFormation Template.
Threat detection based on auditing CloudTrail events
Compliance Security Posture Management (CSPM) in the form of CIS AWS
Benchmark compliance evaluations
Container registry scanning for ECR
Image scanning for Fargate on ECS
Threat Detection Based on CloudTrail
Threat Detection leverages audit logs from AWS CloudTrail plus Falco
rules to detect threats as soon as they occur and bring governance,
compliance, and risk auditing for your cloud accounts.
A rich set of Falco rules, an AWS Best Practices default policy, and
an AWS CloudTrail policy type for creating customized policies are
included. These correspond to security standards and benchmarks such as:
NIST 800-53, PCI DSS, SOC 2, MITRE ATT&CK®, CIS AWS, and AWS
Foundational Security Best Practices
CSPM/Compliance with CIS AWS Benchmarks
A new cloud compliance standard has been added to the Sysdig compliance
feature - CIS AWS Benchmark. This assessment is based on an
open-source engine - Cloud Custodian - and is an initial release of
Sysdig Cloud Security Posture Management (CSPM) engine. This first
Sysdig cloud compliance standard will be followed by additional security
compliance and regulatory standards for GCP, IBM Cloud and Azure.
The CIS AWS Benchmarks assessment evaluates your AWS services against
the benchmark requirements and returns the results and remediation
activities you need to fix misconfigurations in your cloud environment.
We’ve also included several UI improvements to provide additional
details such as: control descriptions, affected resources, failing
assets, and guided remediation steps, both manual and CLI-based when
available.
ECR Registry Scanning
ECR Registry Scanning automatically scans all container images pushed to
all your Elastic Container Registries, so you have a vulnerability
report available in your Sysdig Secure dashboard at all times, without
having to set up any additional pipeline.
An ephemeral CodeBuild pipeline is created each time a new image is
pushed, which executes an inline scan based on your defined scan
policies. Default policies cover vulnerabilities and dockerfile best
practices, and you can define advanced rules yourself.
Fargate Image Scanning on ECS
Fargate Image Scanning automatically scans any container image deployed
on a serverless Fargate task that run on Elastic Container Service. This
includes public images that live in registries other than ECR, as well
as private ones for which you set the credentials.
An ephemeral CodeBuild pipeline is automatically created when a
container is deployed on ECS Fargate to execute the inline scan.
Cloud Account Limits
Currently, the Enterprise version of Sysdig Secure for cloud can audit
a maximum of 50 cloud accounts.
If this limit needs to be increased, please contact your account team.
If you exceed the license purchased, Sysdig will not block cloud
connection or stop the service and the account team will reach out to
you.
See Also:
4.1 -
Deploy Sysdig Secure for cloud on AWS
Review the offering description on Sysdig Secure for
cloud, if needed.
Choose whether you will deploy with a CloudFormation Template
(CFT)
or
Terraform
file.
Onboarding a Single Account using a CFT
Each of the features can be enabled from a single CloudFormation
Template (CFT) from the AWS Console.
Deploying the CFT will add the default cloud
policies and rules to any
existing Sysdig Secure installations.
Prerequisites
A Sysdig Secure SaaS account
An AWS account and AWS services you would like to connect to Sysdig,
with appropriate permissions to deploy a CFT.
Steps
Log in to your AWS Console and confirm that you are in the account
and AWS region that you want to secure using Sysdig Secure for
cloud.
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account. Choose the
AWS(CloudFormation) tab.
Click Launch Stack.
The AWS Console opens, at the
CloudFormation > Stacks > Quick Create page. The Sysdig
CloudFormation template is pre-loaded.
Confirm that you are logged in the AWS account and region where you
want to deploy the Sysdig Template.
Provide a Stack name or accept the default.
Fill in the Parameters:
Sysdig Settings
Sysdig Secure Endpoint:
Default (US-East): https://secure.sysdig.com. If your Sysdig
Secure platform is installed in another region, use that
endpoint.
US West: https://us2.app.sysdig.com
European Union: https://eu1.app.sysdig.com
Sysdig Secure API Token: See Retrieve the Sysdig API
Token
to find yours.
Modules to Deploy: Choose any or all.
CSPM/Compliance: Deploys the CIS AWS Benchmarks in Sysdig’s
Compliance module.
Threat detection using CloudTrail: Deploys everything needed
to detect threats based on CloudTrail events.
ECR Image Registry Scanning: Integrates container registry
scanning for AWS ECR.
Fargate Image Scanning: Integrates image scanning on any any
container image deployed on a serverless Fargate task (in ECS).
Existing Infrastructure: Leave all three entries blank to have a
cluster, VPC, and subnet created automatically. Otherwise, you can
provide existing:
ECS Cluster Name
VPC ID
Private subnet ID(s)
Confirm the Capabilities required to deploy:
Click Create Stack.
In the AWS Console, the main stack and associated substacks will
show “CREATE_IN_PROGRESS”. Refresh the status to see
“CREATE_COMPLETE” for all. There is a delay of 5-10 minutes for
events to be sent from CloudTrail, but no event is lost.
A success message also appears in the Sysdig Secure Get Started
page.
Terraform-based install instructions differ depending on what type of
AWS account you are using.
At this time, the options include:
For Single/Member Account
The default code provided in the Get Started page of Sysdig Secure is
pre-populated with your Secure API token and will automatically install
threat detection with CloudTrail, AWS benchmarks, and container registry
and image scanning.
Prerequisites
Permissions
Sysdig Secure administrator permissions
AWS profile credentials configuration
For AWS, you You must have administrator permissions, or
permissions to create each of the
resources
specified in the resources list. Sysdig provides an IAM policy
containing the required
permissions.
Steps
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account. Choose the
AWS (Terraform) tab.
Copy the code snippet under Single Account and paste it in the
terminal of your local machine. It should be pre-configured with
your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them,
then make the changes.
Confirm the Services are
Working
Check
Troubleshooting
in case of permissions or account conflict errors.
For Organizational/Management Account
For organizational accounts, the default code provided in the Get
Started page of Sysdig Secure is pre-populated with your Secure API
token and will automatically install threat detection with CloudTrail
(only).
Prerequisites
Have Terraform installed on the local
machine.
A Sysdig Secure SaaS account
A Sysdig Secure for Cloud organizational member account ID.
We recommend creating a unique member account for Sysdig Secure for
cloud.
Permissions
Steps
Log in to Sysdig Secure as Admin and select
Get Started > Connect your Cloud account. Choose the
AWS (Terraform) tab.
Copy the code snippet under Organizational Account and paste it
in the terminal of your local machine. It should be pre-configured
with your Sysdig API token.
Then run:
$ terraform init
When complete, run:
$ terraform apply
which will present the changes to be made, ask you to confirm them,
then make the changes.
Confirm the Services are
Working
Check
Troubleshooting
in case of permissions or account conflict errors.
Soon, this option will be expanded to include all the features currently
in the single account option, as well as the ability to easily add
multiple member accounts.
Customizing the Install
Both the Single Account and Organizational Account code examples are
configured with sensible defaults for the underlying inputs. But if
desired, you can edit the region, module enablement, and other Inputs.
See details for:
Resources Created by Each Module
Cloud-bench
aws_iam_role
aws_iam_role_policy_attachment
sysdig_secure_benchmark_task
sysdig_secure_cloud_account
Cloud-connector
aws_cloudwatch_log_stream
aws_ecs_service
aws_ecs_task_definition
aws_iam_role
aws_iam_role_policy
aws_s3_bucket
aws_s3_bucket_object
aws_s3_bucket_public_access_block
aws_security_group
aws_sns_topic_subscription
aws_sqs_queue
aws_sqs_queue_policy
Cloud-scanning
If cloud-connector or cloud-scanning is installed, these additional
modules will be installed:
resource-group
cloudtrail
ssm
ecs-fargate-cluster
If cloud-scanning is installed, these additional modules will be
installed:
codebuild
aws_cloudwatch_log_group
aws_codebuild_project
aws_iam_role
aws_iam_role_policy
Troubleshooting
Resolve 409 Conflict Error
This error may occur if the specified cloud account has already been
onboarded to Sysdig.
Solution:
The cloud account can be imported into Terraform by running:
terraform import module.cloud_bench.sysdig_secure_cloud_account.cloud_account CLOUD_ACCOUNT_ID
Resolve Permissions Error/Access Denied
This error may occur if your current AWS authentication session does not
have the required permissions to create certain
resources.
Solution:
Ensure you are authenticated to AWS using a user or role with the
required permissions.
Confirm the Services are Working
Log in to Sysdig Secure and check that each module you deployed is
functioning. It may take 10 minutes or so for events to be collected and
displayed.
Check Overall Connection Status
Data Sources:
Select Data Sources from the User menu to see all connected
cloud accounts.
Subscription: Select Settings > Subscription to see an
overview of your account activity, including cloud accounts.
Insights: Check that
Insights have been
added to your navigation bar. View activity on the Cloud Account,
Cloud User, or Composite insight views.
Check Threat Detection
Policies: Check Policies > Runtime Policies and confirm that
the AWS Best Practices policy is enabled. This consists of the
most-frequently-recommended rules for AWS and CloudTrail. You can
customize it by creating a new policy of the AWS
CloudTrail
type.
Events: In the Events feed, search ‘cloud’ to show events from
AWS CloudTrail.
Check CSPM/AWS Benchmarks
Compliance: Select Compliance and see that
AWS Foundations Benchmark is installed.
Review the benchmark results and confirm the account, region and
date added.
Check Scanning for ECR and Fargate
Scan Results: CheckImage Scanning > Scan Resultsand choose
the Origins drop-down.
Confirm that AWS Registry and/or AWS Fargate are listed.
Filter by the desired origin and review scan results.
See Also
5 -
Rapid Response: Installation
With Rapid Response, Sysdig has introduced a way to grant designated
Advanced Users in Sysdig Secure the ability to remote connect into a
host directly from the Event stream and execute desired commands there.
Rapid Response team members have access to a full shell from within the
Sysdig Secure UI. Responsibility for the security of this powerful
feature rests with you: your enterprise and your designated employees.
See also: Rapid Response.
Prerequisites
Sysdig Secure On-Premises 4.0+
SaaS enablement available on a per-case basis at this time.
Have on hand:
Your Sysdig agent access
key
Your Sysdig API endpoint (custom, depending on your on-prem
installation)
A passphrase used to encrypt all traffic between the user and
host.
NOTE: Sysdig cannot recover this passphrase. If lost, a user
will not be able to start a session, nor will any session logs
be recoverable.
Optionally, these can be added to the environment variables:
export API_ENDPOINT=https://secure-staging.mycompany.com
export ACCESS_KEY=$YOUR_SYSDIG_API_KEY
export PASSPHRASE=$ENCRYPTION_PASSPHRASE
export API_TLS_SKIP_CHECK=false
This feature is available as of Sysdig Platform
v.4.0, on-premises. Be
sure your system has been upgraded appropriately. SaaS enablement is on
a per-case basis at this time; please discuss your situation with Sysdig
Support.
Install Host Component
The Rapid Response agent can be installed as a Docker container or as a
Kubernetes DaemonSet.
As Docker Container
Mount the host directories and binaries to gain access to the host.
docker run --hostname $HOST_NAME -d quay.io/sysdig/rapid-response-host-component:latest --endpoint $API_ENDPOINT --access-key $ACCESS_KEY --password $PASSPHRASE
Customize the Docker image.
The container is simply bash shell. To add custom scripts without
needing to mount the underlying host filesystem, you can bake this
into the Docker container, e.g. by installing kubectl, gcloud,
netstat, or another command-line utility.
FROM quay.io/sysdig/rapid-response-host-component:latest AS base-image
FROM alpine:3.13
COPY --from=base-image /usr/bin/host /usr/bin/host
# add custom scripts and other directives
ENTRYPOINT ["host"]
As Kubernetes DaemonSet
Create a namespace and secrets for the Rapid Response agent:
kubectl create ns rapid-response
kubectl create secret generic sysdig-rapid-response-host-component-access-key --from-literal=access-key=$ACCESS_KEY -n rapid-response
kubectl create secret generic sysdig-rapid-response-host-component-passphrase --from-literal=passphrase=$PASSPHRASE -n rapid-response
Create the configmap and change the API_ENDPOINT parameter:
echo "apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-rapid-response-host-component
data:
api-endpoint: ${API_ENDPOINT}
api-tls-skip-check: 'false'" | kubectl apply -n rapid-response -f -
Deploy the DaemonSet.
Note: The agent does not automatically have access to the host
filesystem; there are several mounts commented-out in the manifest
that must be uncommented to investigate the host.
echo "# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: sysdig-rapid-response-host-component
labels:
app: sysdig-rapid-response-host-component
spec:
selector:
matchLabels:
app: sysdig-rapid-response-host-component
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: sysdig-rapid-response-host-component
spec:
hostNetwork: true
volumes:
# Add custom volume here
# Uncomment these lines if you'd like to map /root/ from the
# host into the container.
#- hostPath:
# path: /
# name: host-root-vol
- name: sysdig-rapid-response-host-component-config
configMap:
name: sysdig-rapid-response-host-component
optional: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
containers:
- name: sysdig-rapid-response-host-component
image: quay.io/sysdig/rapid-response-host-component
#securityContext:
# The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to
# running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail.
# privileged: true
imagePullPolicy: Always
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 250m
memory: 250Mi
# Add custom volume mount here
# Uncomment these lines if you'd like to map /root/ from the
# host into the container.
#volumeMounts:
#- mountPath: /host
# name: host-root-vol
env:
- name: API_ENDPOINT
valueFrom:
configMapKeyRef:
name: sysdig-rapid-response-host-component
key: api-endpoint
- name: API_TLS_SKIP_CHECK
valueFrom:
configMapKeyRef:
name: sysdig-rapid-response-host-component
key: api-tls-skip-check
- name: ACCESS_KEY
valueFrom:
secretKeyRef:
name: sysdig-rapid-response-host-component-access-key
key: access-key
- name: PASSWORD
valueFrom:
secretKeyRef:
name: sysdig-rapid-response-host-component-passphrase
key: passphrase" | kubectl apply -n rapid-response -f -
Complete the Configuration
After installation/upgrade, complete the following steps:
Request enablement of the feature from Sysdig Support.
Configure an S3 bucket for Rapid Response
logs: If you are
using the default Cassandra storage for Capture files, you will need
to configure an AWS or custom S3 bucket to store Rapid Response log
files after a session. If you have already configured an S3 bucket
for Captures, then Rapid Response logs will be routed there
automatically, into their own folder.
Manage the following port/firewall considerations:
Ensure the host component is able to reach the endpoint defined
in API_ENDPOINT
Ensure there are no intermediate proxies that could enforce
maximum time to live (since sessions could potentially have long
durations)
Ensure that the host component can reach the object storage (S3
bucket) when configured.
Configure and use Rapid Response in the Sysdig Secure UI: See
Rapid Response.
6 -
Node Analyzer: Multi-Feature Installation
What Is the Node Analyzer?
The Node Analyzer (NA) provides a method for deploying the
components for three different Sysdig Secure features:
(Node) Image
Analyzer:
an existing tool that can now be installed and/or upgraded in a new
way, alongside the other two components.
Benchmarks (v2):
Installs a new component (called a benchmark runner) which is
required to use Benchmarks v2, including an updated interface and
new improved features. The legacy Benchmark tool can still be
accessed.
The Benchmarks portion of the Node Analyzer install currently
available on Sysdig Secure SaaS only.
**Host Scanning:**a
new tool for scanning not just the images/containers on a host, but
the host itself.
Installation Options
All the Node Analyzer components, along with the Sysdig agent, are
deployed per node or host. You can deploy them using various methods:
Fresh Install: Agent + Node Analyzer
If you are installing Sysdig Secure for the first time and have not yet
deployed any agents, you can use a single-line install to deploy both
the Sysdig agent and the Node Analyzer (NA) tools. The script will make
changes to each node or host within a cluster.
curl -s
https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s
-- --access_key ACCESS_KEY --collector COLLECTOR_URL --collector_port 6443 --nodeanalyzer --api_endpoint API_ENDPOINT
For SaaS, see also the Get
Started
page in Sysdig Secure. Under “Connect Your Data Sources,” the script is
generated with your endpoints automatically inserted.
On-Premises with Self-Signed Cert:
If you want the Node Analyzer to report to an On-Prem Sysdig backend
that uses a self-signed certificate, then: Add -cc false to the
command line so the node analyzer will accept it.
To find the values yourself:
access_key: This is the agent access key. You can
retrieve
this from Settings > Agent Installation in the Sysdig Secure UI.
collector_url: This value is
region-dependent in
SaaS and is auto-completed on the Get Started page in the UI. (It is
a custom value in on-prem installations.)
api_endpoint: This is the base URL (
region-dependent) for
Sysdig Secure and is auto-completed on the Get Started page. E.g.
secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.
When finished, you can Access the Node Analyzer
Features.
Use this script in the following conditions:
Agent is already installed, you just want the NA tools
Node Image Analyzer already installed; you want to upgrade it to v2
You want to add Benchmarks v2 and Host Scanning features to your
existing Sysdig Secure environment, as well as upgrade or install
the Image Analyzer.
Note that if you already have the Node Image Analyzer (v1) installed,
this script will upgrade that component automatically. An agent MUST
already be installed. The script will make changes to every node in the
cluster.
curl -s https://download.sysdig.com/stable/install-node-analyzer | sudo bash -s -- --api_endpoint API_ENDPOINT
When finished, you can Access the Node Analyzer
Features.
Daemonset Install
To deploy the Node Analyzer using Kubernetes daemonsets,
download
the following configuration files, edit them as annotated within the
files, and deploy them.
To deploy the Node Analyzer concurrently with the Sysdig agent, you
would also download the sysdig-agent-clusterrole.yaml,
sysdig-agent-daemonset-v2.yaml, and sysdig-agent-configmap.yaml and
deploy them as described in Agent Install:
Kubernetes.
You need to deploy these YAMLs after installing the Sysdig agent in the
same nodes, and also in the same namespace (sysdig-agent by default).
When finished, you can Access the Node Analyzer
Features.
Install with Helm
Use the “Sysdig” Helm chart,
which installs the Sysdig agent and the Node Analyzer, with the
following commands:
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm install sysdig-agent --set sysdig.accessKey=ACCESS_KEY --set sysdig.settings.collector=COLLECTOR_URL --set sysdig.settings.collector_port=6443 sysdig/sysdig --set nodeAnalyzer.collectorEndpoint=API_ENDPOINT
To find the values:
access_key: This is the agent access key. You can
retrieve
this from Settings > Agent Installation in the Sysdig Secure UI.
collector_url: This value is
region-dependent in
SaaS and is auto-completed on the Get Started page in the UI. (It is
a custom value in on-prem installations.)
api_endpoint: This is the base URL (
region-dependent) for
Sysdig Secure and is auto-completed on the Get Started page. E.g.
secure.sysdig.com, us2.app.sysdig.com, eu1.app.sysdig.com.
Access the Node Analyzer Features
Log in to Sysdig Secure and check that the features are working as
expected.
Confirm the Image
Analyzer:
is functioning
Select Scanning > Image Results.
Check for scanned container image results that originate with the
Sysdig Node Image Analyzer.
Use Benchmarks (v2)
The Benchmarks portion of the Node Analyzer install currently available
on Sysdig Secure SaaS only.
Select Compliance > Benchmarks |Tasks.
Either configure a new
task or review your
upgraded tasks. Click
a line item to see the associated benchmark report.
Your active team scope is applied when loading benchmarks results.
Log in with the broadest team and user credentials to see the full
report.
Use Host Scanning to
check vulnerabilities in hosts or nodes, both for operation system
packages (e.g. rpm, dpkg) and non-operating system packages (e.g.
Java packages, Ruby gems).
Select Scanning > Hosts.
Review the Host vulnerabilities listed.
Your active team scope is applied when loading host scanning
results. Log in with the broadest team and user credentials to see
the full report.
Alternate Install Cases
The installation options above should be sufficient for the majority of
users; the options below allow for customizations and special cases.
Running Node Analyzer Behind a Proxy
Depending on your organization’s network design, you may require the
HTTP requests from Node Analyzer features to pass through a proxy in
order to reach the Sysdig Secure backend. To do so, you must edit all
three configmaps:
These are in the sysdig-agent namespace by default.
Configure the following variables:
http_proxy/https_proxy Use with the relevant proxy URL, e.g.
http://my_proxy_address:8080.
In most cases, it is enough to specify http_proxy. as it applies
to HTTPS connections as well.
no_proxy Use this parameter to exclude certain subnets from using
the proxy, adding a comma-separated exclusion list, e.g.
127.0.0.1,localhost,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
If the proxy server requires authentication it is possible to specify
credentials in the URL, e.g. http://username:password@my_proxy:8080.
Running in a Non-Kubernetes Environment
This is handled per-component.
Benchmarks (Non-Kubernetes)
It is possible to deploy the benchmark runner as a single Docker
container:
docker run -d -v /:/host:ro -v /tmp:/host/tmp --privileged --network host --pid host -e BACKEND_ENDPOINT=https://<sysdig_backend_endpoint> -e ACCESS_KEY=<Sysdig agent access key> -e BACKEND_VERIFY_TLS=false -e TAGS=<custom_tags> quay.io/sysdig/compliance-benchmark-runner:latest
Note: If you don’t want to pass the access key directly via the
command line, consider using an alternative method of passing
environment variables, such as docker-compose.
The BACKEND_ENDPOINT is only required if for Sysdig on-prem or
when using a Sysdig SaaS region other than US-EAST.
For example, for the EU SaaS endpoint would be:
https://eu1.app.sysdig.com.
See also: SaaS Regions and IP
Ranges.
BACKEND_VERIFY_TLS=false is only needed if you are using an
on-prem backend with a self-signed certificate.
TAGS: The list of tags for the host where the agent is installed.
For example: “role:webserver, location:europe”, “role:webserver”
or “webserver”.
Image Analyzer (Non-Kubernetes)
It is also possible to run the image analyzer as a single Docker
container:
docker run -d -v /var/run:/var/run --privileged --network host -e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector -e ACCESS_KEY=<Sysdig agent access key> -e VERIFY_CERTIFICATE=false quay.io/sysdig/node-image-analyzer:latest
Note: If you don’t want to pass the access key directly via the
command line, consider using an alternative method of passing
environment variables, such as docker-compose.
The AM_COLLECTOR_ENDPOINT is only required if for Sysdig on-prem
or when using a Sysdig SaaS region other than US-EAST.
For example, for the EU SaaS endpoint would be:
https://eu1.app.sysdig.com/internal/scanning/scanning-analysis-collector .
See also: SaaS Regions and IP
Ranges.
VERIFY_CERTIFICATE=false is only needed if you are using an
on-prem backend with a self-signed certificate.
Host Scanning (Non-Kubernetes)
To install the Host Scanning component in a non-Kubernetes environment,
you can use:
docker run -d -v /:/host:ro --privileged \-e AM_COLLECTOR_ENDPOINT=https://<sysdig_backend_endpoint>/internal/scanning/scanning-analysis-collector \-e ACCESS_KEY=<Sysdig agent access key> \-e VERIFY_CERTIFICATE=false \-e SCHEDULE=@dailydefault /quay.io/sysdig/host-analyzer:latest
Note: If you don’t want to pass the access key directly via the
command line, consider using an alternative method of passing
environment variables, such as docker-compose.
The BACKEND_ENDPOINT is only required if for Sysdig on-prem or
when using a Sysdig SaaS region other than US-EAST.
For example, for the EU SaaS endpoint would be:
https://eu1.app.sysdig.com.
See also: SaaS Regions and IP
Ranges.
BACKEND_VERIFY_TLS=false is only needed if you are using an
on-prem backend with a self-signed certificate.
TAGS: The list of tags for the host where the agent is installed.
For example: “role:webserver, location:europe”, “role:webserver”
or “webserver”.
For Image Analyzer Component Only
These cases affect only the Image Analyzer component of the Node
Analyzer installation.
Installing Image Analyzer Component Alone
It is still possible to install the image analyzer component without
benchmarks or host scanning. This option normally would apply only to
previous users of the former node image analyzer who want to upgrade
just that component, for whatever reason.
This can be done by downloading the
sysdig-image-analyzer-daemonset.yaml
and
sysdig-image-analyzer-configmap.yaml
and deploying.
You need to deploy these YAMLs after installing the Sysdig agent in the
same nodes, and also in the same namespace (sysdig-agent by default).
Kubernetes Requiring Custom Socket Path
By default, the image analyzer will automatically detect the socket to
mount from:
Docker socket from /var/run/docker/docker.sock
CRI-O socket from/var/run/crio/crio.sock
CRI-containerd socket from/var/run/containerd/containerd.sock
Some setups require the analyzer to use custom socket paths.
If the socket is located outside /var/run, the corresponding volume
must be mounted as well. You can configure it via the single line
installer script or by manually editing the daemonset and configmap
variables.
When using the installer, use the-cv option to mount an additional
volume and add -ds -cs or -cd to specify a Docker, CRI, or
CRI-containerd socket respectively.
See the script -help command for additional information.
Examples:
For K3S, which uses containerd, add:
-cd unix:///run/k3s/containerd/containerd.sock -cv /run/k3s/containerd
For Pivotal, which uses a custom path for the Docker socket, use:
-ds unix:///var/vcap/data/sys/run/docker/docker.sock -cv /var/vcap/data/sys/run/docker
Daemonset Resource Limit Considerations
During its regular operation, the Image Analyzer uses much less memory
than the limit specified in the daemonset configuration. However, in
some cases, processing an image may require more memory, depending, for
example, on image size, content or package types.
This issue can be detected by looking for abnormal spikes in the memory
usage of the Image Analyzer pods which are also showing analysis errors.
In such cases we recommend trying to increase the analyzer memory usage
up to three times the size of the unprocessed images, if the cluster
available memory allows.
Component Configurations
Image Analyzer Configmap Options
For special cases, the image analyzer can be configured by editing the
sysdig-image-analyzer configmap in the sysdig-agent namespace with
the following options:
docker_socket_path
| The Docker socket path, defaulting to unix:///var/run/docker/docker.sock If a custom path is specified, ensure it is correctly mounted from the host inside the container. |
cri_socket_path
| The socket path to a CRI compatible runtime, such as CRI-O, defaulting to unix:///var/run/crio/crio.sock. If a custom path is specified, ensure it is correctly mounted from the host inside the container. |
containerd_socket_path
| The socket path to a CRI-Containerd daemon, defaulting to unix:///var/run/containerd/containerd.sock If a custom path is specified, ensure it is correctly mounted from the host inside the container. |
collector_endpoint
| The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector |
ssl_verify_certificate
| Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. |
debug
| Can be set to "true" to show debug logging, useful for troubleshooting. |
http_proxy
| Proxy configuration variables. |
https_proxy
| |
no_proxy
| |
Host Scanning Configuration Options
The analyzer component of the Host
Scanning feature can be
configured by editing the sysdig-host-analyzer configmap in
thesysdig-agentnamespace with the following options:
| Option | Description |
|---|
schedule | The scanning schedule specification for the host analyzer expressed as a crontab string such as “5 4 * * *” (more examples). The default value of @dailydefault instructs the analyzer to automatically pick a schedule that will start shortly after it is deployed and will perform a scan every 24 hours. |
dirs_to_scan | The list of directories to inspect during the scan, expressed as a comma separated list such as /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db |
collector_endpoint | The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector |
max_send_attempts | The number of times the analysis collector is allowed to retry sending results if backend communication fails |
ssl_verify_certificate | Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. |
debug | Can be set to "true" to show debug logging, useful for troubleshooting. |
http_proxy | Proxy configuration variables. |
https_proxy | |
no_proxy | |
Benchmark Runner Configuration Options
The benchmark runner component can be
configured by editing the sysdig-benchmark-runner configmap in
the sysdig-agent namespace with the following options:
| Option | Description |
|---|
collector_endpoint | The Secure API endpoint, specified in the following format: https://<API_ENDPOINT> |
ssl_verify_certificate | Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. |
debug | Can be set to "true" to show debug logging, useful for troubleshooting. |
http_proxy | Proxy configuration variables. |
https_proxy | |
no_proxy | |
7 -
Admission Controller: Installation
To use the admission controller after it is installed, see Admission
Controller.
Understanding the Admission Controller
Kubernetes' admission controllers help you define and customize which
requests are allowed on your cluster. An admission controller intercepts
and processes requests to the Kubernetes API prior to persistence of the
object, but after the request is authenticated and authorized.
Image Scanning Capabilities: Sysdig’s Admission Controller
(UI-based) builds upon Kubernetes and enhances the capacity of the image
scanner to check images for Common Vulnerabilities and Exposures (CVEs),
misconfigurations, outdated images, etc., elevating the scan policies
from detection to actual prevention. Container images that do not
fulfill the configured admission policies will be rejected from the
cluster before being assigned to a node and allowed to run.
Kubernetes Audit Logging Capabilities (SaaS only): Enable the
features.k8sAuditDetections=true option to use Kubernetes audit
logging features with the admission controller. (See also: Kubernetes
Audit Logging.)
Enable in Sysdig Labs (for Image Scanning)
Log in to Sysdig Secure as administrator and select
Settings|User Profile.
Under Sysdig Labs, enable the Admission Controller feature and click
Save.
The links to the Admission Controller pages will appear under Image
Scanning in the left-hand navigation.
Installation
The component must be installed on each cluster where you want to use
it.
If you have installed the CLI-based
version of the Admission
Controller, the UI-based version is not backwards-compatible. You will
need to uninstall the old version and install the UI-based version
instead.
Prerequisites
Install the Admission Controller
Make sure kubectl is pointing to the target cluster where the
Admission Controller will be installed.
Add and synchronize the Helm repository:
helm repo add sysdig
https://charts.sysdig.com
helm repo update
Install the Admission Controller on the target cluster, e.g.:
helm install sysdig-admission-controller \
--create-namespace \
--namespace sysdig-admission-controller \
--set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
--set clusterName=$CLUSTER_NAME \
--set sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \
--set features.k8sAuditDetections=true \
sysdig/admission-controller
Check that installation was successful in the Sysdig UI. Log in to
Sysdig Secure and select
Image Scanning>Admission Controller|Policy Assignments.
By default, the cluster shows Connected (healthy), but
Disabled (grey dot right of the name). Admission Controllers are
disabled by default to avoid accidentally blocking deployment.
Installation Parameters
sysdig.secureAPIToken: Sysdig Secure API token as found in the
Sysdig UI under Settings/User
Profile. Note that this
user must have administrator rights.
clusterName: User-defined name for this cluster that will appear
in the admission controller interface in Sysdig’s backend. The
cluster name needs to match the agent cluster name.
Sysdig.url: Sysdig endpoint. Default
https://secure.sysdig.com is for the us-east region.
For us-west use https://us2.app.sysdig.com
For European Union, use https://eu1.app.sysdig.com See also SaaS
Regions and IP Ranges.
features.k8sAuditDetections: true/false. Set true to enable
Kubernetes audit logging via the Admission Controller. See also:
Kubernetes Audit
Logging (legacy
installation) and Select the Policy
Type
(Kubernetes Audit Policies)
For more information: See the full Admission Controller Helm chart
documentation.
Upgrades
Upgrading from Scanning-Only Admission Controller
If you already have the Sysdig Admission Controller installed and want
to upgrade:
helm upgrade \
--namespace sysdig-admission-controller \
--set features.k8sAuditDetections=true \
--reuse-values \
sysdig-admission-controller sysdig/admission-controller
For those customers who already have the Admission Controller AND
already enabled Kubernetes audit logging via the legacy
method, you can still
install/upgrade to the new Admission Controller. Just be sure to set
features.k8sAuditDetections=falseto avoid collecting and displaying
duplicate events.
How to Uninstall the CLI-based Version
If you have installed the CLI-based
version of the Admission
Controller, the UI-based version is not backwards-compatible. You will
need to uninstall the old version and install the UI-based version
instead.
Deploy the following:
$ helm uninstall -n sysdig-admission-controller sysdig-admission-controller